ClawHub

YouTube Research Assistant

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears purpose-aligned: it fetches YouTube captions with yt-dlp and stores local transcript/session data, with minor network and privacy hardening points to notice.

This looks reasonable to install if you are comfortable with yt-dlp fetching captions from YouTube and storing transcript/session data locally. Review the local data folder if privacy matters, keep yt-dlp updated, and consider hardening the fetch command by validating YouTube URLs and avoiding disabled certificate checks.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

When used, the skill sends the video URL to yt-dlp/YouTube to retrieve captions, and a compromised network path could potentially affect the fetched transcript because certificate verification is disabled.

Why it was flagged

The core workflow invokes the external yt-dlp tool against the provided URL to retrieve subtitles; this is expected for the skill, but disabling certificate checks weakens transport authenticity.

Skill content
"yt-dlp", "--skip-download", "--write-subs", "--write-auto-subs", ... "--no-check-certificates", ... url
Recommendation

Use the skill only for intended YouTube URLs, keep yt-dlp updated, and consider removing the --no-check-certificates option or adding stricter YouTube-domain validation.

#ASI06: Memory and Context Poisoning
Low
What this means

Your watched video URLs, transcript text, and active-video session state may remain on the local machine and be reused for later answers.

Why it was flagged

The script persists transcripts and an index containing video URLs in the skill data directory so later questions can reuse stored context.

Skill content
DATA_DIR = Path.home() / ".openclaw/workspace/skills/youtube-research-assistant/data"; index[video_id] = {"url": url, "saved": datetime.now().isoformat(), "lines": transcript.count("\n")}
Recommendation

Avoid using sensitive/private video links if local history is a concern, and periodically delete the skill's data directory or run cleanup; note that cleanup removes old transcript .txt files but the URL index/session files may remain.