YouTube Transcript (yt-dlp captions)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpected yt-dlp binary on PATH would run with the user's local privileges.
The skill depends on a local external binary and has limited provenance metadata. This is expected for a yt-dlp-based transcript tool, but the user should ensure the binary comes from a trusted source.
Source: unknown; Homepage: none; Required binaries: python3, yt-dlp; No install spec — this is an instruction-only skill.
Install yt-dlp from a trusted package source, keep it updated, and verify the PATH resolves to the intended binary.
Using the skill executes a local command and lets yt-dlp contact YouTube to retrieve caption metadata or files.
The script runs yt-dlp as a local subprocess. This is central to the skill's purpose, and the visible code builds argument lists rather than passing arbitrary text through a shell.
p = subprocess.run(cmd, ... timeout=timeout_s) ... cmd = ["yt-dlp", "-J", "--skip-download", "--no-warnings", "--ignore-no-formats-error"]
Use a trusted yt-dlp installation and avoid modifying the skill to pass through arbitrary user-supplied command-line flags.
If provided, cookies may allow the tool to access YouTube as the signed-in user for caption retrieval.
The skill can use YouTube/Google cookies for authenticated access. This is disclosed and optional, but cookies can represent account session authority.
The script supports `--cookies` / `YT_TRANSCRIPT_COOKIES`, but does **not** auto-load cookies from inside the skill directory. ... Cookies must be in **Netscape cookies.txt** format. Treat cookies as **secrets**.
Only provide cookies when necessary, store them with restrictive permissions, and avoid using broad or sensitive browser cookie exports unless you understand the account-access implications.
Requested transcripts and related identifiers may be recoverable from the local cache later.
The skill stores transcript results persistently. This is purpose-aligned, but it means video IDs and transcript text can remain on disk after use.
Cache results locally in **SQLite** for speed. ... Default cache DB: `{baseDir}/cache/transcripts.sqlite`Delete or relocate the cache if the requested videos or transcript contents are sensitive.
A user might store YouTube session cookies in the skill directory despite earlier guidance to keep them outside it.
The documentation gives conflicting cookie-location guidance and claims the skill cache path is ignored by git/publish, which could confuse users about safe secret storage.
Store cookies under `~/.config/yt-transcript/`. ... Recommended local path (ignored by git/publish): `{baseDir}/cache/youtube-cookies.txt` (chmod 600)Prefer the ~/.config/yt-transcript location for cookies and clarify the documentation so cookie storage guidance is consistent.