ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Assistant

v1.0.4

Fetch YouTube video transcripts, metadata, and channel info with AI-powered summarization, key takeaway extraction, and multi-video analysis. Powered by evol...

0· 70·0 current·0 all-time
by@evolinkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name and description match the included scripts: yt-dlp + Python are used to fetch transcripts/metadata and an optional EVOLINK_API_KEY is used to call Evolink's API for AI features. However, the registry header at the top of the evaluation lists no required binaries or env vars whereas the SKILL.md and _meta.json explicitly require python3, yt-dlp, curl and list EVOLINK_API_KEY as optional — this is an inconsistency in metadata (likely an authoring/packaging oversight) but not a functional mismatch.
Instruction Scope
Runtime instructions and the shipped scripts are narrowly scoped to YouTube operations: extracting subtitles/metadata via yt-dlp and, only when AI commands are used, posting transcript+metadata to https://api.evolink.ai. The SKILL.md documents this data transmission and requires explicit EVOLINK_API_KEY. There are no instructions to read unrelated system files or to exfiltrate other credentials.
Install Mechanism
There is no network download of arbitrary code during install: the included npm install script copies packaged skill files into the user's workdir and updates a local lock file. No remote URLs, shorteners, or extraction-from-unknown-servers are used by the installer. The package references a GitHub repo and Evolink pages for documentation, which is expected.
Credentials
The only credential-like variable is EVOLINK_API_KEY and it is optional for AI features; that is proportionate to the described functionality. One minor issue: the installer checks CLAWHUB_WORKDIR and also a likely-typo CLAWDHUB_WORKDIR — not a credential leak but a small bug. Also, the registry summary at the top omitted required binaries/env which is inconsistent with SKILL.md/_meta.json.
Persistence & Privilege
The skill does not request permanent/always-on privilege (always: false). Installer writes skill files into a skills/ directory and updates a local .clawhub lock/origin file as expected; temporary files for transcript processing are created and removed. The skill does not modify other skills or global credentials.
Assessment
This skill appears to be what it claims: it uses yt-dlp + Python locally to get subtitles/metadata and only sends transcript text to Evolink (api.evolink.ai) when you opt into AI features by setting EVOLINK_API_KEY. Before installing: 1) decide whether you trust Evolink to process transcripts (AI features will transmit full transcript text); 2) confirm you want to install yt-dlp and have python3/curl available; 3) note small metadata inconsistencies (registry summary omits declared requirements) and a harmless installer typo — consider installing in a sandbox or review the scripts yourself if you have concerns; 4) prefer installing from the upstream GitHub repo listed in the README if you want provenance rather than an unknown registry snapshot.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ftf1z0a550g4r8112z5msx84a5nz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments