v0.1.0

Youtube Transcription Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:33 AM.

Analysis

This instruction-only skill is purpose-aligned for transcribing YouTube videos, but users should notice that it requires local CLI setup, a VLM Run API key, downloading media, and sending video content to an external provider.

GuidanceThis skill looks benign for its stated purpose. Before installing or using it, be comfortable with installing vlmrun/yt-dlp, storing a VLMRUN_API_KEY in a local .env file, downloading YouTube media to disk, and uploading the downloaded media to VLM Run for transcription. Because the referenced script and requirements file are not included, prefer the manual commands or verify any missing files from a trusted source.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

User provides a **YouTube URL** ... Download the video ... with **yt-dlp**. Run: `vlmrun chat ... -i <downloaded_file> -o <output_dir>`.

The skill directs the assistant to chain local CLI tools using a user-provided URL and output path. This is expected for the transcription workflow, but it still means commands can download media and write files.

User impactThe assistant may download video/audio files and create transcript/output files on the user’s machine.

RecommendationUse a dedicated output folder, confirm the URL and destination before running commands, and avoid broad or sensitive output paths.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

`uv pip install -r requirements.txt` ... `python scripts/run_transcription.py "https://www.youtube.com/watch?v=VIDEO_ID" -o ./output`

The instructions reference a requirements file and helper script, but the provided manifest contains only SKILL.md. The package-install and script-run steps are central to the stated purpose, yet the referenced files are not present for review.

User impactThe recommended scripted setup may not work as packaged, and users cannot inspect the referenced helper script in the supplied artifacts.

RecommendationPrefer the documented manual commands unless the missing script and requirements file are obtained from a trusted source and reviewed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Ensure `.env` (or `.env.local`) contains `VLMRUN_API_KEY`.

The skill requires a provider API key and instructs the assistant to check for it. This is purpose-aligned for VLM Run, but the registry metadata does not declare required env vars or a primary credential.

User impactA VLM Run API key is needed and should be treated as a sensitive credential.

RecommendationStore the API key securely, do not paste it into chat, and ensure the assistant only checks whether it exists rather than displaying or copying its value.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Transcribes the video with **vlmrun** (Orion visual AI) ... `vlmrun chat "Transcribe this video..." -i <downloaded_file> -o <output_dir>`.

The workflow sends the downloaded video file to the VLM Run provider for transcription. This external processing is disclosed and purpose-aligned, but users should understand that media content leaves the local environment.

User impactVideo or audio content may be uploaded to an external transcription provider.

RecommendationOnly process videos you are allowed to upload, and avoid using this workflow for private or sensitive media unless VLM Run’s data-handling terms are acceptable.