Youtube → Pocket Casts
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says, but it relies on sensitive Pocket Casts and YouTube session credentials plus external downloader tooling.
Before installing, make sure you are comfortable storing a Pocket Casts refresh token and YouTube cookies on disk. Only run it for videos you have rights to download, install dependencies from trusted sources, and remove or revoke the stored credentials when you are done.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read those local credential files may be able to use your Pocket Casts token or YouTube session cookies.
The skill asks the user to store a long-lived Pocket Casts refresh token and logged-in YouTube cookies. This is disclosed and aligned with downloading/uploading, but these credentials are sensitive and could grant account access if exposed.
Get your refresh token from browser dev tools while logged into pocketcasts.com ... YouTube's bot detection requires cookies from a logged-in browser session ... Save to `~/.clawdbot/credentials/pocket-casts/cookies.txt`
Use a dedicated credentials directory with strict permissions, consider a separate browser profile/account for YouTube cookies, and delete or revoke tokens/cookies when you no longer need the skill.
The behavior of the workflow depends partly on external tools and install sources outside this skill package.
The documented setup relies on package-managed execution and a remote install script. This is normal for the downloader workflow, but the artifacts do not pin versions or checksums.
yt-dlp - YouTube downloader (via uv: `uvx yt-dlp`) ... `curl -fsSL https://deno.land/install.sh | sh`
Install dependencies from trusted sources, pin versions where possible, and review remote install scripts before running them.