YouTube Long Video Transcript
v1.0.0YouTube long video (>1 hour) full verbatim transcription and translation workflow. Use when user needs to (1) Extract subtitles from YouTube videos, (2) Translate English transcripts to Chinese, (3) Handle long videos that exceed session limits, (4) Process DownSub API responses and generate formatted documents.
⭐ 0· 944·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (YouTube long-video transcription & translation) matches the SKILL.md workflow, but the metadata declares no required credentials or tools while the instructions explicitly require a DownSub API key and optional 'zhiyan' tool. The SKILL.md even embeds an Authorization header with a bearer token, which is inconsistent with the registry metadata and unexpected for a simple instruction-only skill.
Instruction Scope
Runtime instructions tell the agent to POST to https://api.downsub.com/download with a specific Authorization header (token-looking string starting with 'AIza...'), spawn sub-agents, read and slice large transcript files, append/write chunk files, and optionally call a 'zhiyan' MCP. The instructions contain contradictions (e.g., earlier 'Has zhiyan? → Can generate online docs' vs. spawn-task text 'Do NOT use zhiyan') and include a hard-coded credential in the document — both are red flags. The steps ask the agent to handle secrets and to spawn background processing, which broadens the surface area beyond a simple parser.
Install Mechanism
No install spec and no code files are present (instruction-only). This lowers the risk from disk-installed arbitrary code. However, being instruction-only means the SKILL.md itself is the primary security surface and must be trusted.
Credentials
The skill metadata lists no required environment variables or primary credential, yet the SKILL.md requires a DownSub API key and shows an Authorization header with a token pattern ('AIza...') typically associated with Google API keys. Requiring a bearer/API key is reasonable for a third‑party service, but the metadata should declare it and the embedded token in the instructions is problematic. The skill also asks the user to 'configure in secrets' with no guidance on scope or storage.
Persistence & Privilege
The skill does not request persistent installation or 'always' inclusion and does not ask to modify other skills or system-wide settings. It does instruct spawning sub-agents and writing local files (transcript chunks and merged outputs), which is expected for long-file processing but increases operational privileges at runtime; this is a normal but notable capability.
What to consider before installing
Do not install blindly. Key points to check before proceeding:
- The SKILL.md requires a DownSub API key yet the registry metadata lists no credentials — confirm where/how you'll provide the API key and avoid pasting secrets into plain instructions. Prefer storing keys in your platform's secrets store.
- The document embeds an Authorization header with a bearer token (starts with 'AIza...'); treat this as suspicious (possible accidental leak or placeholder). Do not assume the embedded token is valid or safe to use.
- Verify that DownSub actually requires the type of key described and that the endpoint and Authorization scheme are legitimate (consider using official YouTube APIs or known services instead).
- Note the skill asks the agent to spawn sub-agents and read/write transcript files; ensure you trust the agent runtime with those files and do not allow it to access unrelated files or credentials.
- Clarify the contradictory instructions around 'zhiyan' and the recommended workflow (the SKILL.md has inconsistent guidance).
- If you proceed, prefer giving the minimum required credential scoped appropriately, test with a small non-sensitive video, and monitor any network requests the agent makes.Like a lobster shell, security has layers — review code before you run it.
latestvk97bwck81tvrkq2dt42rvj4sah80wbf9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.