ClawHub
Back to skill
v1.0.0

Youtube Podcast summarizer via Elevenlabs

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:15 AM.

Analysis

The skill’s behavior matches its stated purpose, but it relies on a separately run GitHub backend and paid API keys that users should verify before use.

GuidanceBefore installing, verify the external GitHub backend, review its dependencies, protect the required API keys, and understand that YouTube links may be processed automatically and sent through Supadata, OpenRouter/Cerebras, and ElevenLabs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
git clone https://github.com/Franciscomoney/elevenlabs-moltbot.git
cd elevenlabs-moltbot
npm install
cp .env.example .env
# Add your API keys to .env
npm start

The skill is instruction-only but directs the user to install and run a separate npm backend from GitHub.

User impactYou would be trusting code and dependencies that are not included in this skill package.
RecommendationReview the GitHub repository and its dependencies before running it or adding API keys.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
metadata: {"openclaw":{"emoji":"🎙️","autoTrigger":{"patterns":["youtube.com/watch","youtu.be/","youtube.com/shorts"]}}}

The skill declares auto-trigger patterns for YouTube URLs, so it may start its workflow when such links appear.

User impactProcessing a YouTube link may create a backend job and consume API credits.
RecommendationConfirm your bot’s auto-trigger behavior and set usage or cost limits if needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
skill.json
"required_env": [
    "ELEVENLABS_API_KEY",
    "SUPADATA_API_KEY",
    "OPENROUTER_API_KEY"
  ]

The backend requires provider API keys for text-to-speech, transcript retrieval, and AI summarization.

User impactThose keys may allow the backend to make paid requests to the associated services.
RecommendationUse restricted keys where possible, monitor usage, and avoid sharing the .env file.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
README.md
YouTube URL → Supadata (transcript) → AI (summary) → ElevenLabs (voice) → You

The data flow routes YouTube URLs, transcripts, and generated summaries through multiple third-party services.

User impactThe video link and derived transcript or summary content may be sent to external providers as part of the intended workflow.
RecommendationAvoid using the skill for private, sensitive, or unlisted video content unless you are comfortable with those providers processing it.