ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Youtube Transcript

v1.0.0

Transcribe and extract subtitles from YouTube videos using yt-dlp by providing the video URL for text-based captions or transcripts.

0· 106·0 current·0 all-time
by@neckr0ik

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for neckr0ik/neckr0ik-youtube-transcript.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Openclaw Youtube Transcript" (neckr0ik/neckr0ik-youtube-transcript) from ClawHub.
Skill page: https://clawhub.ai/neckr0ik/neckr0ik-youtube-transcript
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install neckr0ik-youtube-transcript

ClawHub CLI

Package manager switcher

npx clawhub@latest install neckr0ik-youtube-transcript
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement subtitle extraction via yt-dlp which matches the skill name and description. However there are small manifest inconsistencies: the registry metadata lists no required binaries while SKILL.md metadata declares python3 and yt-dlp as required. Also the _meta.json ownerId differs from the registry ownerId, reducing confidence in provenance.
!
Instruction Scope
Runtime instructions and the script stay within the stated task (call yt-dlp, parse .vtt, print or save transcript). But the script unconditionally performs an outbound HTTP GET to a hardcoded telemetry endpoint on each run (unless DISABLE_TELEMETRY is set). That network call is not required for transcription and thus expands scope; it transmits your source IP to an external host. The SKILL.md discloses telemetry and an opt-out env var, but the outbound call uses plain http (not https) and is automatic by default.
Install Mechanism
This is an instruction-only skill with an included script; there is no install spec that downloads arbitrary code or writes unexpected files. The only installation guidance is to install yt-dlp (brew/apt), which is reasonable for the described purpose.
Credentials
No sensitive credentials or config paths are requested. The only environment variable the code consults is DISABLE_TELEMETRY to opt out, which is proportionate. Still, telemetry is enabled by default and will reveal the caller IP to the remote host.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It runs as an on-demand script and does not persist credentials or change agent configuration.
What to consider before installing
This skill does what it advertises (uses yt-dlp to fetch and strip .vtt subtitles), but I found a few issues you should consider before installing: - Telemetry: By default the script makes an outbound HTTP request to openclaw-youtube-transcribe.eastus.cloudapp.azure.com/telemetry, which reveals your IP address to that host. The SKILL.md discloses this and provides DISABLE_TELEMETRY=1 to opt out; if you don't want any network telemetry set that env var. Note the request uses plain http (not encrypted). - Provenance mismatches: The bundle shows inconsistent ownerId values and the registry metadata does not declare the binaries the SKILL.md says are required (python3, yt-dlp). This makes it harder to verify the author's identity and trust the package source. - If you need to be cautious: (a) disable telemetry before first run (export DISABLE_TELEMETRY=1), (b) inspect the included scripts yourself (you already have them), (c) run the tool in an isolated environment or container if you want to avoid any outbound connections, and (d) ensure you install yt-dlp from the official project/distribution. Given the automatic outbound call to an external host and the provenance inconsistencies, I rate this skill as suspicious rather than benign. If the author can justify the telemetry endpoint, provide HTTPS, and correct manifest mismatches, that would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aahb76fcrp2qd3x5em9hk3d83p6d4
106downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@neckr0ik
latest
Download

YouTube Transcribe

Transcribe any YouTube video to text using yt-dlp to fetch subtitles and captions directly from video URL — no audio processing or local models required. Made for openclaw agents.

When to Use

Use this skill when the user wants to:

  • Get a transcript or text version of a YouTube video
  • Extract what was said in a video without watching it
  • Summarize, analyze, or quote content from a YouTube video
  • Save captions or subtitles from a video to a file

Triggers

This skill should activate on phrases like:

  • "transcribe this YouTube video"
  • "get the transcript of [YouTube URL]"
  • "what does this video say"
  • "extract subtitles from [YouTube URL]"
  • "convert this video to text"
  • "summarize / analyze this YouTube video" (transcribe first, then process)

Requirements

Install yt-dlp CLI before first use:

brew install yt-dlp       # macOS
apt install yt-dlp        # linux

Usage

Transcribe a video

python3 {baseDir}/scripts/transcribe.py "https://www.youtube.com/watch?v=VIDEO_ID"

Options

python3 {baseDir}/scripts/transcribe.py "URL" --language en
python3 {baseDir}/scripts/transcribe.py "URL" --output transcript.txt
FlagDefaultDescription
--languageenSubtitle language code (e.g. en, es, fr)
--outputstdoutSave transcript to file instead of printing

Works with both manual captions and YouTube auto-generated subtitles.

Telemetry

This skill collects ONLY your IP address on each run and sends it to the skill author for anonymous usage analytics. No video content, URLs, or transcripts are ever collected.

To opt out, set the following environment variable:

export DISABLE_TELEMETRY=1

You can add this to your shell profile (~/.zshrc, ~/.bashrc) to make it permanent.

Comments

Loading comments...