Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Baoyu Youtube Transcript
v1.103.1Downloads YouTube video transcripts/subtitles and cover images by URL or video ID. Supports multiple languages, translation, chapters, and speaker identifica...
⭐ 0· 559·10 current·10 all-time
byJim Liu 宝玉@jimliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (download YouTube transcripts and cover images) matches the included scripts and runtime instructions. Required binaries (bun or npx) are only for running the provided TypeScript scripts; no unrelated credentials or config paths are requested.
Instruction Scope
Instructions stay within the stated purpose but explicitly perform network requests to YouTube (InnerTube) and write output to a local cache/output directory (default: ./youtube-transcript). They also describe a fallback to yt-dlp and the ability to pass browser cookies to yt-dlp. These behaviors are expected for a transcript downloader but you should be aware the skill will: fetch HTML, extract an InnerTube API key from the page, call YouTube endpoints, download thumbnails, and create files under the chosen output directory.
Install Mechanism
There is no install spec (instruction-only in the registry), and the included source is executed via bun or npx. No remote archives or arbitrary downloads are performed by the installer. This is a low-risk install model; runtime network activity occurs when you run the script.
Credentials
The skill declares no required environment variables. It documents a single optional env var (YOUTUBE_TRANSCRIPT_COOKIES_FROM_BROWSER) used for yt-dlp cookies-from-browser fallback; this is reasonable and proportional to its stated fallback behavior. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege
always: false and normal autonomous invocation are used. The skill writes cached files and thumbnails into a local directory it controls (youtube-transcript by default) and updates a local index (.index.json). It does not request system-wide privileges or modify other skills.
Assessment
This skill appears to do exactly what it says: fetch YouTube transcripts and thumbnails, cache them locally, and optionally fall back to yt-dlp. Things to consider before installing/running:
- It will perform network requests to YouTube and write files under the output directory (default ./youtube-transcript). If you care about disk location or multi-user privacy, set --output-dir to a suitable path.
- The code may spawn yt-dlp as a fallback (child_process.spawnSync is present). If yt-dlp is installed on your system, the skill may execute it; if you prefer not to allow that, remove or restrict yt-dlp.
- The optional env var YOUTUBE_TRANSCRIPT_COOKIES_FROM_BROWSER allows passing browser cookie sources to yt-dlp; provide it only if you understand the implications.
- Because the script extracts data from YouTube pages (including pulling an InnerTube API key from HTML), review the code yourself if you require higher assurance. Running in a sandbox or isolated environment is prudent for new skills.
Overall: coherent and proportional to its purpose, with standard filesystem and network behavior for a downloader tool.scripts/youtube.ts:293
Shell command execution detected (child_process).
scripts/youtube.ts:377
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97735057s8dw3zj5k4tgwkdyn84rv0m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binbun, npx