ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Analysis

v1.0.0

Analyze YouTube videos with summary and deep-dive analysis. Use when a user provides a YouTube URL and wants both a summary and analytical insights about the...

1· 57·0 current·0 all-time
by@sidonsoft
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The declared purpose (YouTube analysis) aligns with the instructions: transcript extraction followed by model-based synthesis. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions explicitly tell the agent to run a 'summarize' CLI (e.g., --youtube web --extract) and to prefer transcript-first workflows. This stays within the stated purpose. Note: the skill expects the agent to execute external commands and to transmit transcript content to the main model for analysis (normal for this use case but relevant for data exposure).
Install Mechanism
This is instruction-only (no install spec or code files), which minimizes disk-write risk. The README references installing via clawhub or a GitHub clone; the skill itself does not download or execute arbitrary remote archives. It does rely on an external 'summarize' tool being available.
Credentials
No environment variables, credentials, or config paths are required. The absence of requested secrets matches the described functionality.
Persistence & Privilege
always is false and there is no indication the skill claims persistent system privileges or modifies other skills' configs. Autonomous invocation is permitted (platform default) but not excessive here.
Assessment
This skill appears coherent and low-risk, but consider the following before installing: - Dependency: it expects an external 'summarize' tool (and possibly yt-dlp) to be present; confirm these tools come from trusted sources on your system. - Network access: transcript extraction requires fetching from YouTube (network I/O). Ensure your environment policy permits this and you're OK with outbound requests to YouTube. - Data exposure: extracted transcripts (which can include personal or sensitive information) will be passed to the main chat model for analysis; if your model is remote or provided by a third party, transcripts are transmitted off-host. Avoid sending private or confidential video content unless you trust the model endpoint and compliance policies. - Source attribution: the skill's source/homepage is unspecified; README points to a GitHub repo. If you plan to install the skill from that repo, review the repository contents and confirm its authenticity. If those considerations are acceptable, the skill's behavior matches its stated purpose. If you need stricter controls, require a vetted 'summarize' binary, restrict network access, or avoid analyzing videos containing sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aezyrd4pfh7ehkmsf5c0m1n83hyzc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments