Skillv1.0.0

ClawScan security

YouTube Transcript Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 5:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do exactly what it claims — download and clean YouTube subtitles using yt-dlp and a bundled shell script — with no unexpected credential requests or hidden network endpoints.
Guidance: This skill is coherent and appears to do what it says, but check a few practical items before use: (1) Install yt-dlp from an official source (brew, pip, or the project's releases) because the script depends on it — the registry metadata omitted this requirement. (2) Review the bundled scripts (you already have them) and run them in a safe working directory; the script writes transcript_<VIDEO_ID>.txt to your current directory and uses a temporary folder for subtitles. (3) Run as a non-root user and try it on a harmless public video first to confirm behavior. (4) Be aware that yt-dlp will contact YouTube (network activity) and that downloading subtitles may have copyright/legal considerations in your jurisdiction. (5) Verify any external links in the SKILL.md before following them. If you want higher assurance, ask the publisher for provenance (source/homepage) or request the skill be updated so metadata lists yt-dlp/python3 as required binaries.

Purpose & Capability: noteThe skill's name/description match its behavior: the SKILL.md and the bundled script download subtitles and produce cleaned transcripts. Minor inconsistency: the registry metadata declares no required binaries, but the SKILL.md and script explicitly require yt-dlp (and use python3).
Instruction Scope: okRuntime instructions and the script stay within the stated purpose: calling yt-dlp to fetch subtitle files, cleaning them, and writing a transcript file. The script only reads the downloaded subtitle file(s) and writes output to the current directory / a temp dir; it does not attempt to read unrelated system files or environment variables.
Install Mechanism: okThis is an instruction-only skill with a local shell script; there is no install spec and nothing is downloaded by the skill itself. The only external dependency is yt-dlp (recommended install via brew or pip) which the user must install separately.
Credentials: okThe skill requests no environment variables or credentials and does not require access to other services beyond YouTube via yt-dlp. The lack of declared required binaries in registry metadata is the only proportionality mismatch (yt-dlp/python3 are required in practice).
Persistence & Privilege: okThe skill is not always-enabled and does not modify other skills or system-wide configs. It runs on demand and writes only its own output file; no elevated privileges are requested.