Back to skill
Skillv1.1.0
ClawScan security
Youtube Knowledge Extractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 10:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested tools and instructions match its stated purpose (extracting transcripts and frames from YouTube videos) and do not request unrelated credentials or system access.
- Guidance
- This skill appears coherent and limited to downloading and analyzing YouTube content. Before installing, confirm you are comfortable with: (1) the skill downloading videos and writing temporary files to /tmp (potentially large disk/network usage), (2) network access to YouTube/captions endpoints, and (3) the source used to install yt-dlp — verify the 'uv' installer or install yt-dlp from a trusted package source yourself. Also consider copyright and terms-of-service implications for downloading videos and transcripts. If you need stricter controls, run the skill in an isolated environment or container.
Review Dimensions
- Purpose & Capability
- okName/description (multimodal YouTube analysis) aligns with required binaries (yt-dlp, ffmpeg, python3, curl) and the described steps (download metadata/subtitles, download video, extract frames, analyze). The declared install (yt-dlp) is appropriate for the task.
- Instruction Scope
- okSKILL.md contains explicit shell/python commands that operate only on a temp working directory, fetch YouTube metadata/subtitles via yt-dlp/curl, download the video, and run ffmpeg/ffprobe. It does not instruct reading unrelated system files, environment variables, or exfiltrating data to unexpected endpoints.
- Install Mechanism
- noteInstall uses a 'uv' package entry to provide yt-dlp. Installing yt-dlp is expected, but 'uv' is an uncommon installer in this metadata — user may want to confirm the installer/source provenance for yt-dlp on their platform.
- Credentials
- okNo environment variables, credentials, or config paths are requested. Network access to YouTube/captions endpoints is required and consistent with the skill's purpose.
- Persistence & Privilege
- okSkill is not always-enabled, does not request elevated privileges, and only writes artifacts to a temporary working directory under /tmp. It does not alter system or other-skill configurations.