YouTube Transcript Native Node
PassAudited by ClawScan on May 14, 2026.
Overview
This appears to be a purpose-aligned YouTube transcript helper, but it depends on running a trusted local yt-dlp program.
Before installing, make sure you trust the yt-dlp binary on your PATH and avoid using the skill for private or sensitive videos; otherwise the visible behavior is coherent with fetching YouTube transcripts.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local yt-dlp binary is malicious, outdated, or replaced in PATH, it would run with the user's account permissions.
The script invokes an external executable from PATH. This is disclosed and purpose-aligned, and the visible code does not use a shell, but the local yt-dlp binary is still a user trust boundary.
proc = spawn("yt-dlp", args, { stdio: ["ignore", "pipe", "pipe"] });Install yt-dlp only from trusted sources, keep it updated, and verify which yt-dlp binary is first on PATH before using the skill.
The skill's safety depends partly on the yt-dlp installation already present on the user's machine.
The skill depends on an external binary outside the included files. That dependency is clearly disclosed, but its provenance and updates are not controlled by the skill package itself.
Wraps the external [`yt-dlp`](https://github.com/yt-dlp/yt-dlp) binary, which must be installed and on PATH.
Use an official package manager or the official yt-dlp project instructions, and avoid untrusted copies or PATH locations.