vsum
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s video-summary purpose is coherent, but its Bilibili workflow reads Chrome login cookies even though the registry declares no credentials, so users should review that access before use.
This skill appears to perform the advertised video-subtitle summarization, but use extra caution with Bilibili links because it may read Chrome login cookies. Only use it if you are comfortable with that, verify yt-dlp is installed from a trusted source, and avoid sending private transcript content to an AI provider you do not trust.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the Bilibili path can give the tool access to browser login cookies, which are more sensitive than ordinary video links or subtitle files.
The executable helper reads Chrome browser cookies for Bilibili requests. This is purpose-aligned for logged-in subtitles, but it uses a local browser session while the registry declares no primary credential or required config path.
yt-dlp --cookies-from-browser chrome --write-subs --sub-lang ai-zh,zh-CN,"$LANG" --skip-download "$URL"
Ask for explicit user approval before using browser cookies, declare this credential/session requirement in metadata, and consider a dedicated browser profile or narrowly scoped cookie export.
The skill will contact YouTube or Bilibili through yt-dlp and create subtitle files locally.
The script invokes yt-dlp on a user-provided video URL to retrieve subtitles. This is central to the skill purpose and the URL is quoted, but it is still external command/tool use.
yt-dlp --write-auto-subs --sub-lang "$LANG" --skip-download "$URL"
Run it only on links you intend to process, keep yt-dlp updated from a trusted source, and review generated files before sharing them.
The skill may fail or behave differently depending on the locally installed yt-dlp version/source.
The registry metadata does not declare required binaries or an install mechanism, while SKILL.md documents yt-dlp as a dependency. Users must supply and trust that external binary themselves.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Declare yt-dlp as a required binary and provide trusted installation guidance or version expectations.
Video transcript content may be processed by an external AI service.
The workflow sends subtitle text to an AI provider for summarization. This is disclosed and purpose-aligned, but the provider and data handling boundaries are not specified.
- AI API - 用于总结(支持 OpenAI、Anthropic、Google 等) ... 调用 AI API 对字幕进行总结
Tell users which AI provider will receive transcript text, and avoid sending private or sensitive subtitles unless the provider’s privacy terms are acceptable.