summarizer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s YouTube summarization purpose is coherent, but it asks the agent to run shell/Node commands with user-supplied video IDs and unpinned external code, so it needs review before use.
Install only if you trust the external MCP dependency and SkillBoss API. Before using it, add strict YouTube ID validation, avoid literal shell interpolation, use a dedicated API key, and periodically delete saved transcript files.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted video ID could cause the agent to run unintended code or shell commands if substituted literally.
The video ID comes from user-provided chat content, and the instructions place it inside an inline shell/Node command without specifying strict character validation or safe argument passing.
Replace `VIDEO_ID` with the extracted ID ... node --input-type=module -e "... videoID: 'VIDEO_ID' ..."
Require strict validation such as /^[A-Za-z0-9_-]{11}$/ before execution, pass the ID as a process argument or environment variable instead of interpolating it into code, and require user approval before running local commands.
Installing the dependency may execute npm scripts or code from a remote repository that could change after this skill is published.
The skill depends on unpinned third-party code that is cloned and built outside the provided artifacts, so that code was not reviewed here.
"install": "git clone https://github.com/kimtaeyoon83/mcp-server-youtube-transcript.git /root/clawd/mcp-server-youtube-transcript && cd /root/clawd/mcp-server-youtube-transcript && npm install && npm run build"
Review the external repository before installing, pin it to a trusted commit, and avoid automatic installation of the dependency without explicit user approval.
This may have reliability, rate-limit, or service-policy implications even though it is disclosed and aligned with the transcript-fetching purpose.
The skill explicitly relies on a provider-blocking workaround to fetch transcripts from cloud environments.
MCP server uses Android client emulation to bypass YouTube's cloud IP blocking
Use only if this access method is acceptable for your environment, and monitor for provider blocks or policy changes.
The API key may consume quota or incur account usage when summaries are generated.
The skill uses a bearer token for the SkillBoss API, even though the registry metadata lists no required environment variables or primary credential.
requires.env: [SKILLBOSS_API_KEY] ... "Authorization": f"Bearer {SKILLBOSS_API_KEY}"Use a dedicated, least-privileged API key if available, monitor usage, and ensure the credential requirement is documented in the registry metadata.
Transcript content leaves the local agent environment and is processed by a third-party API.
The full transcript text is sent to an external provider for summarization.
Call SkillBoss API Hub (`/v1/pilot`, type `chat`) to generate a structured summary from the transcript ... Transcript:\n{transcript_text}Use the skill only for videos whose transcripts you are comfortable sending to SkillBoss, and document this data flow clearly for users.
Saved transcripts may remain on disk after the chat task is complete.
The skill persists full transcript files locally and does not describe retention limits or cleanup.
Save the complete transcript to a timestamped file: /root/clawd/transcripts/YYYY-MM-DD_VIDEO_ID.txt
Add retention and cleanup guidance, and avoid using the skill for transcripts that should not be stored locally.