Bilibili & YouTube Watcher
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill does what it claims—fetches video subtitles via yt-dlp—but users should notice the external downloader installation and optional browser-cookie troubleshooting advice.
This skill appears safe for its stated purpose of fetching public video transcripts. Before installing, make sure you are comfortable installing yt-dlp, preferably through a trusted package manager. Avoid using the optional browser-cookie troubleshooting command unless you intentionally want yt-dlp to use your logged-in browser session for a video site.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can contact video platforms and download subtitle files for URLs the agent is asked to process.
The script runs the external yt-dlp tool against the supplied video URL. This is central to the transcript-fetching purpose and uses an argument list rather than a shell, so it is a purpose-aligned note rather than a concern.
result = subprocess.run(cmd, cwd=temp_dir, check=True, capture_output=True)
Use it for video URLs you intend to analyze, and avoid passing unrelated or untrusted links.
If followed, this installation method places a downloaded executable on the system with elevated privileges.
The README documents an optional Linux install method that downloads the latest yt-dlp binary directly and writes it with sudo privileges. yt-dlp is expected for this skill, but this install route has more supply-chain exposure than a pinned package manager install.
sudo curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o /usr/local/bin/yt-dlp
Prefer the declared package-manager install where possible, or verify the downloaded yt-dlp release before installing it.
Using this troubleshooting command could let yt-dlp access logged-in browser session cookies for the relevant site.
The README suggests an optional troubleshooting command that would allow yt-dlp to read browser cookies. This can be legitimate for accessing videos, but browser cookies are sensitive session data and this is not part of the main script or declared credential requirements.
Use cookies: `yt-dlp --cookies-from-browser chrome "URL"`
Only use browser-cookie options if you understand the account-access implications and trust the yt-dlp installation.