YouTube Watcher
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims: it uses yt-dlp to fetch video subtitles and prints cleaned transcript text, with no evidence of credentials, persistence, or hidden data sharing.
This looks safe for its stated purpose. Before installing, make sure you trust the yt-dlp package source, and remember that fetched transcripts are third-party content that should be summarized or analyzed rather than treated as instructions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill's behavior depends on the installed yt-dlp tool, so a compromised or untrusted installation of that dependency could affect what runs locally.
The skill relies on installing an external yt-dlp package/binary. This is disclosed and purpose-aligned, but users should trust the package source they install from.
"requires":{"bins":["yt-dlp"]},"install":[{"id":"brew","kind":"brew","formula":"yt-dlp"...},{"id":"pip","kind":"pip","package":"yt-dlp"...}]Install yt-dlp only from trusted package managers or sources and keep it updated.
Using the skill will run yt-dlp locally and contact the video source for the URL provided.
The script executes the local yt-dlp binary with the user-provided URL to retrieve subtitles. This command execution is central to the skill and is not shell-interpolated.
cmd = ["yt-dlp", "--write-subs", "--write-auto-subs", "--skip-download", "--sub-lang", "en", "--output", "subs", url] subprocess.run(cmd, cwd=temp_dir, check=True, capture_output=True)
Use the skill only with video URLs you intend to process, and avoid relying on transcript content as trusted instructions.