Youtube Apify Transcript
v1.3.3Fetch YouTube transcripts via APIFY API. Works from cloud IPs (Hetzner, AWS, etc.) by bypassing YouTube's bot detection. Features local caching (FREE repeat...
⭐ 5· 3.2k·1 current·1 all-time
byRobby@robbyczgw-cla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's declared functionality (fetch YouTube transcripts via Apify) matches the code and instructions: it calls the Apify API and caches results. One inconsistency: the top-level registry summary in the provided metadata listed 'Required env vars: none', while SKILL.md and package.json correctly declare APIFY_API_TOKEN (required) and an optional YT_TRANSCRIPT_CACHE_DIR. This appears to be a metadata oversight rather than functional misalignment.
Instruction Scope
SKILL.md instructs the agent to run the included Python script, install the requests library, and set APIFY_API_TOKEN. The script (visible portion) only reads/writes local cache files in the skill directory and talks to the Apify API. Agent instructions explicitly say to fetch transcripts with the script then summarize locally. No instructions request unrelated system files, other credentials, or external endpoints beyond Apify.
Install Mechanism
There is no remote download/install step in the registry install spec. The only required binary is python3 and the only Python dependency is 'requests' (pip install requests), which is proportionate and low-risk. The skill ships a local script rather than downloading code from arbitrary URLs.
Credentials
The single required secret is APIFY_API_TOKEN, which is appropriate for calling the Apify API. The optional YT_TRANSCRIPT_CACHE_DIR is reasonable. However, the registry summary conflictingly claimed no required env vars — users should rely on SKILL.md/package.json and provide APIFY_API_TOKEN. No other unrelated secrets or credentials are requested.
Persistence & Privilege
The skill persists cached transcripts as JSON files under the skill directory (.cache/ by default) or under a directory set by YT_TRANSCRIPT_CACHE_DIR. This is normal for a caching tool but means fetched transcript contents will remain on disk unless cleared with --clear-cache; users should consider where the skill is installed and who can access that directory. always is false and the skill does not request elevated agent privileges.
Assessment
This skill appears to be internally consistent and implements exactly what it claims: it needs an APIFY API token and the Python requests package to call Apify actor(s) and cache results. Before installing:
- Provide an APIFY_API_TOKEN (SKILL.md and package.json require it); ignore the registry summary that says none — that is inconsistent.
- Review or set YT_TRANSCRIPT_CACHE_DIR if you don't want transcripts stored under the skill directory; cached transcripts persist until you run --clear-cache.
- Understand that transcripts are retrieved via a third-party Apify actor (actor IDs are listed). Using Apify means your requests go through Apify's infrastructure and the actor code run by that actor owner; ensure you trust that actor/provider and are comfortable with any data sent to Apify and potential billing on your account.
- The tool does not request other credentials or perform other surprising actions in the visible code, but you may want to inspect the remainder of the script (truncated in the provided snippet) to confirm there are no unexpected network endpoints or behavior before granting the APIFY token.
If you need stronger guarantees, run the script locally with a limited Apify token or instrument the network calls to confirm only api.apify.com is contacted.Like a lobster shell, security has layers — review code before you run it.
latestvk979hv8cdeavjky82smekpdp9d83y6aw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3