ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Transcript & Summary

v1.0.0

Fetch YouTube video transcripts, subtitles, and generate summaries. Use when the user wants to extract text from a YouTube video, download subtitles (similar...

0· 103·0 current·0 all-time
byJunhao@rqcker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the actions described in the SKILL.md (extract transcripts, timestamps, generate summaries). However the manifest lists no code or install steps while the SKILL.md explicitly references implementation artifacts (references/methods.md and scripts/fetch.py) that are not present — an internal inconsistency that should be explained.
!
Instruction Scope
The instructions are high-level and permit the agent to "attempt to fetch the transcript using available services" but do not specify which services, endpoints, or methods (YouTube Data API, third-party sites like downsub.com, web scraping, or local tooling). That vagueness could allow broad network actions or scraping behavior not evident from the description. The SKILL.md does not instruct reading system files or secrets, which is good, but the missing implementation details make the runtime behavior unclear.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk. No downloads or archive extraction are declared.
Credentials
No environment variables, credentials, or config paths are required — reasonable for a thin wrapper that uses only public resources. However, realistic transcript fetching often requires an API key (YouTube Data API) or access to third-party services; the absence of any declared credentials is notable and could indicate missing documentation about how the skill will access transcripts.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not claim to modify other skills or system settings. It can be invoked by the agent normally, which is expected for skills.
What to consider before installing
Before installing, ask the skill author or publisher to clarify runtime behavior and provide the missing implementation files or a concrete description of how transcripts are fetched: which APIs or third‑party services will be contacted, whether scraping is used, and whether any API keys will be required. If the skill will use external services (e.g., downsub-like sites or the YouTube API), confirm the exact endpoints and privacy/ToS implications. Because no code accompanies the SKILL.md, treat the skill as incomplete until you see the referenced scripts; avoid granting credentials or installing anything until that is resolved. If you proceed, test it first with non-sensitive/public videos and monitor outbound network requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c815g9j532kefnd6q973w71837gkr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments