youtube copy of yt
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do its advertised job, but it uses Apify as a third-party service, requires an Apify API token, and may incur per-video usage costs.
Before installing, make sure you are comfortable using Apify, setting an APIFY_API_TOKEN, sending requested video URLs to that service, and paying the documented per-video cost. The skill’s behavior is coherent with its description, but the registry metadata under-declares its token and dependency requirements.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests are handled through a third-party proxy-based service rather than directly from the local machine, and use may be subject to Apify and YouTube policy or cost considerations.
The skill explicitly routes transcript retrieval through Apify residential proxies to avoid YouTube bot detection. This is disclosed and purpose-aligned, but users should be aware of the proxying and platform-policy implications.
APIFY runs the request through residential proxies, bypassing bot detection reliably.
Use this only for videos and use cases you are comfortable routing through Apify, and confirm that the usage is acceptable for your policies and budget.
If the token is available, the skill can use the associated Apify account and may incur the documented per-video charges.
The script reads an Apify API token from the environment and uses it to run the Apify actor. This credential use is expected for the service, but the registry metadata lists no required env vars or primary credential.
token = os.environ.get("APIFY_API_TOKEN") ... params = { "token": api_token }Set APIFY_API_TOKEN only when you intend to use the skill, monitor Apify usage and billing, and consider using a dedicated/revocable token.
Installing the dependency pulls code from the Python package ecosystem, which carries normal package provenance risk.
The skill depends on a manually installed Python package without a lockfile or pinned version in the provided artifacts. This is typical for a small script, but it is still a supply-chain detail users should notice.
`requests` library (`pip install requests`)
Install dependencies from a trusted environment and consider pinning a known-good version of requests if you need reproducible installs.
Private, unlisted, or otherwise sensitive video URLs may be shared with Apify when fetching transcripts.
The requested YouTube URL is sent to the external Apify actor. This data flow is expected for the transcript-fetching purpose, but it means the URL leaves the local environment.
input_data = { "urls": [video_url], "outputFormat": "captions" } ... requests.post(run_url, ... json=input_data, ...)Avoid submitting sensitive video URLs unless you are comfortable with Apify processing them, and review the Apify actor’s privacy and retention behavior.