ClawHub

Youtube → Pocket Casts

PassAudited by VirusTotal on May 13, 2026.

Overview

Type: OpenClaw Skill Name: pocket-casts-yt Version: 1.0.0 The skill is classified as suspicious primarily due to the `SKILL.md` file instructing users to install Deno via `curl -fsSL https://deno.land/install.sh | sh`. This method of executing arbitrary remote code during prerequisite setup poses a significant supply chain risk. While the core `upload.sh` script's functionality aligns with its stated purpose of downloading YouTube videos and uploading them to Pocket Casts, and it handles credentials (Pocket Casts refresh token, YouTube cookies) with appropriate file permissions, the `curl | sh` installation step for a dependency is a high-risk behavior. The script interacts with `api.pocketcasts.com` and `deno.land`.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone who can read those local credential files may be able to use your Pocket Casts token or YouTube session cookies.

Why it was flagged

The skill asks the user to store a long-lived Pocket Casts refresh token and logged-in YouTube cookies. This is disclosed and aligned with downloading/uploading, but these credentials are sensitive and could grant account access if exposed.

Skill content
Get your refresh token from browser dev tools while logged into pocketcasts.com ... YouTube's bot detection requires cookies from a logged-in browser session ... Save to `~/.clawdbot/credentials/pocket-casts/cookies.txt`
Recommendation

Use a dedicated credentials directory with strict permissions, consider a separate browser profile/account for YouTube cookies, and delete or revoke tokens/cookies when you no longer need the skill.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The behavior of the workflow depends partly on external tools and install sources outside this skill package.

Why it was flagged

The documented setup relies on package-managed execution and a remote install script. This is normal for the downloader workflow, but the artifacts do not pin versions or checksums.

Skill content
yt-dlp - YouTube downloader (via uv: `uvx yt-dlp`) ... `curl -fsSL https://deno.land/install.sh | sh`
Recommendation

Install dependencies from trusted sources, pin versions where possible, and review remote install scripts before running them.