ClawHub
Back to skill
v2.0.0

Index Youtube

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

The skill mostly matches its YouTube indexing purpose, but it includes optional use of Chrome browser cookies for authenticated YouTube access without clear scope or consent boundaries.

GuidanceReview this skill before installing. It appears coherent for YouTube transcript indexing, but avoid `--cookies-from-browser chrome` unless you explicitly want the agent to use your browser session; verify any solograph or yt-dlp installation source and keep the generated index in a location you are comfortable retaining.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install solograph
# or
uvx solograph

The skill tells the user or agent to install or run external package-registry software, but the package version and provenance are not pinned in an install spec.

User impactInstalling or running the wrong package version could execute unexpected third-party code on the user's machine.
RecommendationVerify the package source, pin trusted versions where possible, and use an isolated environment for installation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Reduce `-n` limit, add `--sleep-interval 2` to yt-dlp commands, or use `--cookies-from-browser chrome` for authenticated access.

This explicitly recommends using the user's Chrome browser session cookies for authenticated YouTube requests, while the metadata declares no credential requirement and the instructions do not define consent, scope, or handling boundaries.

User impactIf used, the skill could operate through the user's signed-in browser session and access account-specific YouTube content or session-derived data.
RecommendationPrefer unauthenticated indexing and rate-limit options first. Only allow browser-cookie access after explicit approval, ideally with a dedicated browser profile, and document the credential scope clearly.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Write a summary index to `docs/youtube/index.md`

The skill creates a persistent searchable index of downloaded transcripts and summaries, which is central to its purpose but may be reused in later searches.

User impactIndexed transcript content can remain on disk or in the knowledge base and may be surfaced in future searches.
RecommendationIndex only intended channels, review the output location, and delete or update the stored index when it is no longer needed.