Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Extract Youtube Transcript
v2.1.0Extract plain-text transcripts from YouTube videos using a local Python script. Use when the user wants to fetch, extract, or get a transcript from a YouTube...
⭐ 0· 426·0 current·0 all-time
byJoe Hu@hushenglang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md and the Python script are consistent: the tool extracts YouTube transcripts and exposes options to list languages, set output, and optionally supply a cookies file. However, including a pre-filled youtube_cookies.txt (containing many long auth-like cookie values) is not required for the stated purpose and is disproportionate; a transcript extractor should not ship someone else's authentication tokens.
Instruction Scope
Runtime instructions are confined to installing youtube-transcript-api (via pip) and running the local Python script. They do not instruct broad system reads or external exfiltration. The script supports an optional --cookies argument and will load a Netscape cookie file if provided; the skill bundles such a cookie file which expands the scope to authenticated YouTube access. There is also a pre-scan finding for a 'base64-block' pattern (likely from long cookie values) that should be reviewed.
Install Mechanism
There is no install spec; this is instruction/code-only. Dependency is installed via pip at runtime per SKILL.md. No downloads from arbitrary URLs or archive extraction were found.
Credentials
The skill declares no required env vars or credentials, which is appropriate. However, it includes a youtube_cookies.txt file containing many cookie tokens (LOGIN_INFO, SID, PSID, etc.) that look like authentication credentials. Bundling those tokens is unnecessary and potentially dangerous — users could mistakenly use someone else's cookies or reveal their own session if they modify the file. The presence of these cookies is disproportionate to the skill's needs and raises privacy/credential risks.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to modify other skill or system configurations. It runs locally and does not claim elevated privileges.
Scan Findings in Context
[base64-block] unexpected: A 'base64-block' pattern was detected (likely from long base64-like cookie values in youtube_cookies.txt). A transcript extractor does not need embedded base64 payloads; in this case the finding is consistent with bundled auth cookie values, which should be treated as sensitive and are not expected for a generic example.
What to consider before installing
This skill appears to do exactly what it says (locally extract YouTube transcripts), but it ships a Netscape-format cookie file containing long auth tokens. Do NOT use the bundled youtube_cookies.txt as-is: it may contain someone else's session cookies or sensitive tokens. Before using the skill, either remove the youtube_cookies.txt file or replace it with a cookies file you create yourself if you intentionally need authentication (and only if you understand the risks). Review the Python script locally to verify behavior, run it in a sandbox or isolated environment, and avoid uploading any exported transcripts or cookie files to untrusted services. If provenance of this skill is unknown, prefer obtaining the script from a trusted source or recreate minimal functionality rather than running bundled credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddjjc3aq6v5gdtkcr8953cn82f05q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.