Youtube Transcriber
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its YouTube transcription purpose, but its custom output-path handling can be abused to alter generated Python code run locally.
Review this skill before installing. It does the advertised transcription workflow, but use simple trusted output paths until the path interpolation bug is fixed. Also install yt-dlp and ffmpeg from trusted sources and only provide an OpenAI API key if you accept sending fallback audio to OpenAI and paying any API charges.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mishandled output path could make the local agent run unintended Python code with the user's local permissions.
The user-controlled --out value is inserted directly into Python source code executed with python3 -c. A crafted path containing Python string-breaking characters could change the generated program instead of being treated only as a file path.
--out) OUT_FILE="${2:-}"; shift 2 ;; / with open('$OUT_FILE', 'w') as f:Rewrite the Python helper to pass paths via sys.argv or environment variables, for example using a quoted here-doc plus python3 - "$SUB_FILE" "$OUT_FILE", and avoid interpolating file paths into executable source.
Using the fallback may send video audio to OpenAI and charge the user's OpenAI account.
When subtitles are unavailable, the script uses the user's OpenAI API key and uploads the downloaded/compressed audio to OpenAI for transcription. This is purpose-aligned and disclosed, but it is credentialed, billable provider access.
-H "Authorization: Bearer ${OPENAI_API_KEY}"
-F "file=@${WHISPER_INPUT}"
-F "model=whisper-1"Install only if you are comfortable using an OpenAI API key for this purpose, and consider API spending limits. The skill metadata should declare the OpenAI credential requirement.
The skill may fail or behave differently depending on which local yt-dlp/ffmpeg versions are installed, and users may not see these requirements from registry metadata alone.
The skill depends on external CLI tools and a provider credential, but the registry metadata lists no required binaries or environment variables. The dependencies are expected for the purpose, but users must manage their provenance and installation themselves.
- `yt-dlp` — `brew install yt-dlp` or `pip install yt-dlp` - `ffmpeg` — `brew install ffmpeg` - `OPENAI_API_KEY` environment variable set
Install dependencies from trusted package sources, keep yt-dlp/ffmpeg updated, and update the skill metadata to accurately declare required binaries and the optional/conditional OpenAI API key.