Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Summary Skill
v1.0.7Fetch a YouTube video transcript and provide a structured summary. Usage: /youtube-summary <youtube-url> [--lang <language>]
⭐ 0· 98·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, included script (fetch_transcript.py), and declared requirement (uv) align with fetching transcripts and producing summaries. One inconsistency: the SKILL.md and README state the default language is English, but the bundled Python script's default --lang is "it,en" (Italian first), which means the script will prefer Italian unless invoked differently. This is a functional mismatch (not evidence of malicious intent) but affects behavior.
Instruction Scope
Runtime instructions are narrow: parse $ARGUMENTS, run a local Python script via 'uv' to fetch transcripts, summarize, and optionally write a Markdown file. The Bash one-liner looks up fetch_transcript.py under the user's Claude plugin cache (~/.claude/plugins/cache/...) and falls back to ~/.claude/skills/; this is necessary for locating the script but means the skill will execute whatever fetch_transcript.py is found in those locations. Review the fetched script before first use. The script itself only uses the youtube-transcript-api and prints JSON; it does not access unrelated files, env vars, or network endpoints beyond the library's normal behavior.
Install Mechanism
This is an instruction-only skill with no install spec and a small included script. It relies on the 'uv' runtime to manage Python dependencies (youtube-transcript-api). There are no downloads from arbitrary URLs or packaged installers in the manifest, so install risk is low. Ensure you trust the source of the skill and the 'uv' tool.
Credentials
The skill requests no environment variables or credentials and does not require access to unrelated service secrets. It does read $ARGUMENTS (the command input) and may write a Markdown file when the user agrees, which is proportional to its purpose.
Persistence & Privilege
always is false and disable-model-invocation is true (it cannot be invoked autonomously), which reduces risk. The skill does not request persistent elevated privileges or modify other skills' configs. It will execute a local script found in plugin/cache or ~/.claude/skills as described—this is normal for skills but you should confirm the script content.
What to consider before installing
The skill appears to do what it says, but review a few things before installing/use:
- Verify the bundled fetch_transcript.py content (it is included) to ensure it matches the expected behavior — this skill executes that script directly. The repository copy appears benign (uses youtube-transcript-api and prints JSON) but double-check for any unexpected changes after install.
- Note the default-language mismatch: SKILL.md/README say default English, but the script default is "it,en" (Italian preferred). If you expect English by default, pass --lang or edit the script/command.
- The runtime command resolves the script from ~/.claude/plugins/cache/... or ~/.claude/skills/ and runs it; ensure those locations are trusted and not modified by other actors on your system.
- 'uv' will fetch and run the youtube-transcript-api dependency at runtime; ensure you trust the uv tool and network access for dependency installation.
- When prompted to save summaries, the skill will write files locally via the Write tool—be mindful of where files are stored and their contents.
If you want higher assurance, run the included fetch_transcript.py locally (outside the skill) against a sample video to confirm behavior and outputs before allowing the skill to execute on your system.Like a lobster shell, security has layers — review code before you run it.
latestvk97axzf8htzhwmjr6r9xe0pmg983h40w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binsuv