ClawHub

youtube copy of yt

v1.0.0

Fetch YouTube video transcripts via APIFY API using residential proxies to bypass bot detection, supporting text and JSON output formats.

1· 1.4k·0 current·0 all-time
by@inaor·duplicate of @robbyczgw-cla/youtube-apify-transcript
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, README, and the included Python script all implement a YouTube-transcript fetcher that calls apify.com (actor karamelo~youtube-transcripts). That aligns with the apparent purpose. However the published skill name ('youtube copy of yt') and lack of a description are odd and the registry metadata does not declare the APIFY_API_TOKEN requirement even though both SKILL.md and the script require it.
Instruction Scope
Runtime instructions are narrowly scoped to calling APIFY: setting APIFY_API_TOKEN, running the Python script, and passing a YouTube URL/ID. The SKILL.md does not instruct reading unrelated files, scanning system paths, or exfiltrating other credentials.
Install Mechanism
No install spec is provided (instruction-only plus a Python script). The only dependency is the widely used 'requests' Python library, which the script checks for and instructs installing. There are no downloads from unknown URLs or archives.
!
Credentials
The script and SKILL.md clearly require APIFY_API_TOKEN (an API credential) and a python3/runtime with requests; that is proportionate to the stated functionality. The concern is that the registry metadata lists no required environment variables or primary credential — an inconsistency that could lead users to install without realizing they must provide a token. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on inclusion, does not modify other skills, and has no elevated privileges. It simply performs outbound API calls to apify.com when executed.
What to consider before installing
This skill appears to do what it says (use APIFY to fetch YouTube transcripts), but the published metadata omits the APIFY_API_TOKEN requirement that the docs and script clearly need. Before installing or using it: (1) confirm you trust the publisher — the listed name/description are inconsistent; (2) do not commit your APIFY_API_TOKEN to source control and consider using a least-privilege token if APIFY supports it; (3) verify you accept outbound network calls to api.apify.com (the script posts to and polls APIFY actor runs) and the associated costs (~$0.007 per video); (4) run the script in an isolated environment (virtualenv, container) and inspect the code yourself — the included script is short and readable; (5) ask the publisher to update registry metadata to declare the required env var (APIFY_API_TOKEN) and provide a clear description. The mismatch in declared requirements is the primary reason to be cautious; the code itself contains no obvious exfiltration beyond contacting apify.com for expected data.

Like a lobster shell, security has layers — review code before you run it.

latestvk975jh798emne2x56xz46p43d980kxzy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments