ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Full Channel Transcripts

v1.0.0

Extract transcripts from all videos in a YouTube channel for free (no paid APIs). Uses yt-dlp to discover videos and fetch available subtitles. Saves combine...

0· 63·0 current·0 all-time
byBlue Fox@otomazeli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the code: the script discovers videos with yt-dlp, downloads subtitles, converts SRT to text, and writes JSON/CSV. Required binaries (yt-dlp, jq) make sense. However the script invokes yt-dlp with '--js-runtimes node' but 'node' is not listed as a required binary—this is an actionable mismatch. Also skill.json declares environment vars (YT_DLP_MAX_RETRIES, YT_DLP_SLEEP_INTERVAL) that the script does not actually read.
Instruction Scope
Runtime instructions and the script operate within the stated scope: they call yt-dlp to fetch YouTube data, parse local files in /tmp, and write transcript outputs to an output directory. The script does not read unrelated system files or transmit data to third-party endpoints beyond YouTube/yt-dlp.
Install Mechanism
No install spec (instruction-only plus a shell script). Nothing is downloaded from arbitrary URLs; the script relies on system-installed binaries. This is low-risk from an installer perspective.
Credentials
The skill requests no credentials and declares only non-secret env vars in skill.json. But those declared vars (YT_DLP_MAX_RETRIES, YT_DLP_SLEEP_INTERVAL) are not actually used in the script, and the script expects input via lowercase variables like 'channel_url' which is not documented as an environment variable in skill.json. No sensitive credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does write temporary files to /tmp and outputs to a local output directory, which is expected behaviour for this utility.
What to consider before installing
This skill appears to implement the advertised functionality but has small inconsistencies you should be aware of before installing: 1) The script calls yt-dlp with '--js-runtimes node' but 'node' is not listed as a required binary—install Node.js or remove that option if you rely on yt-dlp's default. 2) skill.json declares YT_DLP_MAX_RETRIES and YT_DLP_SLEEP_INTERVAL, but the script does not use them; retries/backoff mentioned in README are not implemented. 3) The script expects input via environment variables named in lowercase (e.g., channel_url); the SKILL.md usage (prefixing the command with channel_url=...) will work but confirm how your agent passes parameters. 4) The script writes temporary files to /tmp and output files to a relative output_dir—run it in an isolated workspace if you need to protect local data. If these mismatches worry you, request an updated skill that: documents required 'node' if needed, actually uses or removes the declared env vars, and clarifies how parameters should be provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk97103ddjxva2t3j6rjkdvjncs83fyv5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎥 Clawdis
Binsyt-dlp, jq

Comments