Youmind Youtube Transcript
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its YouTube transcript purpose, but it requests broader Bash and YouMind command authority than the workflow appears to need.
Install only if you trust YouMind and its npm CLI. Keep your API key in environment variables, use the skill for specific YouTube URLs you are comfortable saving to YouMind, and prefer a tightened command allowlist or manual approval for any Bash command outside the documented transcript workflow.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is confused or influenced by later content, it may have more local shell or YouMind CLI authority than is necessary for extracting transcripts.
The workflow only documents a small set of YouMind calls and a simple API-key check, but these wildcard Bash permissions are broader. The environment-check pattern appears capable of matching chained shell commands after the key test.
allowed-tools: - Bash(youmind *) - Bash([ -n "$YOUMIND_API_KEY" ] *)
Narrow the allowlist to exact setup and API commands, or require explicit user approval for any command outside the documented transcript workflow.
The selected YouTube URLs will be saved to your YouMind account and may consume account quota or credits.
The skill uses a YouMind API key and creates materials on the user's default YouMind board. This is expected for the stated integration, but it is still account-level authority.
primaryEnv: YOUMIND_API_KEY ... youmind call createMaterialByUrl '{"url":"<youtube-url>","boardId":"<boardId>"}'Use it only with videos you are comfortable saving to YouMind, keep the API key in environment variables rather than chat, and review created board items if needed.
Installing the CLI adds external code to the local environment.
The setup installs an external npm package globally. This is central to the skill's purpose, but users must trust the package source and install-time behavior.
npm install -g @youmind-ai/cli
Install only from a trusted npm source, consider verifying the package/version, and avoid running global installs in sensitive environments unless necessary.
Transcript polling may continue briefly in the background after the main response.
The skill may use a background/subagent task. It is scoped to polling and result delivery, but it continues work after returning control to the user.
Proactively spawn a subagent for the polling + extraction work
Allow background processing only for the specific videos you requested, and cancel or avoid it if you do not want autonomous follow-up work.
You may see an upgrade prompt if the YouMind API reports quota or payment limits.
The skill requires a promotional upgrade message for 402 payment errors. This is relevant billing guidance, but it is sales-oriented and mandatory.
You've reached your free plan limit. Upgrade to Pro or Max ... Pro plan benefits ... Upgrade now
Treat upgrade links as service billing information and verify pricing or limits independently before purchasing.