ytdlp-transcript — YouTube to Text via yt-dlp
PassAudited by ClawScan on May 10, 2026.
Overview
The skill does what it says—fetches YouTube captions—but it runs a locally installed yt-dlp tool, so users should install that dependency from a trusted source.
This skill appears safe for its stated purpose. Before installing or using it, make sure yt-dlp is installed from a trusted source, and remember that processing a video will send that YouTube video ID through yt-dlp to retrieve captions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If yt-dlp is missing, outdated, or replaced by an untrusted binary in the user's PATH, the skill could fail or run the wrong local program.
The skill depends on an external binary installed outside the provided artifact. This is expected for the stated purpose, but the safety of execution depends on the user's locally installed yt-dlp.
- `yt-dlp` installed: `brew install yt-dlp`
Install yt-dlp from a trusted source, keep it updated, and verify that the yt-dlp in PATH is the intended binary.
Using the skill will cause a local yt-dlp process to make a YouTube request for the selected video and write temporary subtitle output.
The script executes a local command to find and run yt-dlp. This is clearly related to the transcript-fetching purpose and does not show user-controlled shell interpolation.
const { execSync, spawnSync } = require('child_process'); ... return execSync('which yt-dlp', { encoding: 'utf8' }).trim(); ... spawnSync(ytdlp, [ '--write-auto-sub', '--skip-download', ... url ])Use the skill only for URLs you intend to process, and ensure the local yt-dlp installation is trusted.