ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawHub - YouTube Downloader & Clipper

v1.1.1

Clip and download specific time ranges or full YouTube videos in various qualities, including audio-only MP3 extraction, using precise timestamps.

0· 2.2k·1 current·1 all-time
by@sandeepyadav1478
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, README, SKILL.md, prompt.md and code all describe a YouTube clipping/downloading tool and request only the capabilities needed for that (downloading via yt-dlp, optional ffmpeg for audio). There are minor metadata mismatches (skill.json version 1.0.0 vs registry 1.1.1) and authoring references to 'Claude', but these are not security-critical.
Instruction Scope
The runtime instructions direct the agent to generate, write, execute, and then delete a temporary Python script and to auto-install the yt-dlp Python module via pip. That behavior is coherent for this purpose but means the skill will run code locally and modify the Python environment at runtime — sensible for a downloader but worth noting.
Install Mechanism
There is no remote download/install of arbitrary archives. An included install.sh only copies files into ~/.claude/skills and checks for yt-dlp/ffmpeg. The skill is instruction-only at runtime (creates temporary Python scripts) and does not pull code from untrusted URLs.
Credentials
The skill requests no environment variables, no credentials, and references only local tools (python, yt-dlp, ffmpeg). The requirement to pip-install yt-dlp is proportional to its function. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. install.sh installs files into the user's home skill directory only and does not modify other skills or system-wide settings.
Assessment
This skill appears to be what it claims: a yt-dlp-based YouTube clipper. Before installing/using it, be aware that (1) it will generate and execute temporary Python scripts on your machine, (2) it may run pip install to add the yt-dlp module to your Python environment (which can modify system/site packages depending on your Python setup), and (3) audio extraction may require ffmpeg (a separate binary). If you are comfortable allowing a skill to write and run short Python scripts and to install a Python package, this is proportional for the stated purpose. If you prefer to avoid modifying your environment, run it inside a virtualenv/container or inspect the generated script before execution. Also ensure you comply with copyright rules for downloaded content.

Like a lobster shell, security has layers — review code before you run it.

clippervk972tc3rffq5cmcfq2ashey4vn80dwykdownloadervk972tc3rffq5cmcfq2ashey4vn80dwyklatestvk972tc3rffq5cmcfq2ashey4vn80dwyklatest,youtube,clipper,downloadervk97deh1xp9fh1hxv4s8y5kt6y580d64tyoutubevk972tc3rffq5cmcfq2ashey4vn80dwyk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments