Youtube → Pocket Casts
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read those local credential files may be able to use your Pocket Casts token or YouTube session cookies.
The skill asks the user to store a long-lived Pocket Casts refresh token and logged-in YouTube cookies. This is disclosed and aligned with downloading/uploading, but these credentials are sensitive and could grant account access if exposed.
Get your refresh token from browser dev tools while logged into pocketcasts.com ... YouTube's bot detection requires cookies from a logged-in browser session ... Save to `~/.clawdbot/credentials/pocket-casts/cookies.txt`
Use a dedicated credentials directory with strict permissions, consider a separate browser profile/account for YouTube cookies, and delete or revoke tokens/cookies when you no longer need the skill.
The behavior of the workflow depends partly on external tools and install sources outside this skill package.
The documented setup relies on package-managed execution and a remote install script. This is normal for the downloader workflow, but the artifacts do not pin versions or checksums.
yt-dlp - YouTube downloader (via uv: `uvx yt-dlp`) ... `curl -fsSL https://deno.land/install.sh | sh`
Install dependencies from trusted sources, pin versions where possible, and review remote install scripts before running them.