Gemini Yt Video Transcript
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gemini-yt-video-transcript Version: 1.0.4 The skill is designed to transcribe YouTube videos using Google Gemini. The `SKILL.md` provides clear, benign instructions without any prompt injection attempts against the OpenClaw agent. The `scripts/youtube_transcript.py` script securely handles the `GEMINI_API_KEY` from environment variables, makes network calls exclusively to legitimate Google Gemini and YouTube oEmbed endpoints, and includes a robust `_safe_output_path` function to restrict file output to the skill's workspace or temporary directories, preventing arbitrary file writes. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The video URL and related request data are processed by external services as part of generating the transcript.
The user-provided video URL is sent to Google Gemini for processing, and the script also performs a YouTube title lookup; this is expected for the transcript function.
API_ENDPOINT = f"https://generativelanguage.googleapis.com/v1beta/models/{GEMINI_MODEL}:generateContent" ... {"file_data": {"file_uri": url}}Use this skill only for videos you are comfortable processing through Google Gemini/YouTube, and review the transcript before sharing it.
Gemini API usage may consume the user's quota or incur costs depending on the configured Google account.
The script uses the user's Gemini API key to authenticate to Google's Generative Language API; this is purpose-aligned and disclosed, but the key may carry quota or billing authority.
api_key = os.environ.get("GEMINI_API_KEY") ... "x-goog-api-key": api_keyUse a dedicated or limited Gemini API key where possible, monitor usage, and rotate the key if it is exposed.