youtube copy of yt
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The skill bundle is designed to fetch YouTube transcripts using the APIFY API. The `SKILL.md` and `README.md` provide clear, legitimate instructions for setup and usage, including setting an `APIFY_API_TOKEN` environment variable. The `scripts/fetch_transcript.py` script correctly utilizes this token to make API calls exclusively to `api.apify.com` for its stated purpose. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. All network and file operations are directly aligned with the skill's functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests are handled through a third-party proxy-based service rather than directly from the local machine, and use may be subject to Apify and YouTube policy or cost considerations.
The skill explicitly routes transcript retrieval through Apify residential proxies to avoid YouTube bot detection. This is disclosed and purpose-aligned, but users should be aware of the proxying and platform-policy implications.
APIFY runs the request through residential proxies, bypassing bot detection reliably.
Use this only for videos and use cases you are comfortable routing through Apify, and confirm that the usage is acceptable for your policies and budget.
If the token is available, the skill can use the associated Apify account and may incur the documented per-video charges.
The script reads an Apify API token from the environment and uses it to run the Apify actor. This credential use is expected for the service, but the registry metadata lists no required env vars or primary credential.
token = os.environ.get("APIFY_API_TOKEN") ... params = { "token": api_token }Set APIFY_API_TOKEN only when you intend to use the skill, monitor Apify usage and billing, and consider using a dedicated/revocable token.
Installing the dependency pulls code from the Python package ecosystem, which carries normal package provenance risk.
The skill depends on a manually installed Python package without a lockfile or pinned version in the provided artifacts. This is typical for a small script, but it is still a supply-chain detail users should notice.
`requests` library (`pip install requests`)
Install dependencies from a trusted environment and consider pinning a known-good version of requests if you need reproducible installs.
Private, unlisted, or otherwise sensitive video URLs may be shared with Apify when fetching transcripts.
The requested YouTube URL is sent to the external Apify actor. This data flow is expected for the transcript-fetching purpose, but it means the URL leaves the local environment.
input_data = { "urls": [video_url], "outputFormat": "captions" } ... requests.post(run_url, ... json=input_data, ...)Avoid submitting sensitive video URLs unless you are comfortable with Apify processing them, and review the Apify actor’s privacy and retention behavior.