ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tl;dw - YouTube Video Summarizer

v1.0.2

Extracts YouTube video transcripts and provides concise summaries highlighting main points, arguments, and conclusions without watching the full video.

0· 1.5k·2 current·2 all-time
by@vovavvk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/behavior match: SKILL.md and scripts both describe extracting YouTube captions via yt-dlp, cleaning/deduplicating captions, caching them, and then summarizing the transcript in the agent session. The declared dependencies (yt-dlp, webvtt-py) and the provided extract_transcript.py are what you'd expect for this function.
Instruction Scope
Runtime instructions are narrowly scoped to: create a venv, pip-install yt-dlp and webvtt-py, run scripts/extract_transcript.py to produce JSON, and summarize the transcript. The documentation does not instruct reading unrelated system files or sending data to unknown endpoints; the code fetches caption URLs (from yt-dlp metadata) and uses requests to download them, which is consistent with the purpose.
Install Mechanism
There is no automated install spec in the registry (instruction-only), so setup requires pip installing packages into a local venv as documented. Those installs come from PyPI (yt-dlp, webvtt-py) — common and expected, but you should be aware that pip will fetch third-party packages at install time.
Credentials
The skill requests no environment variables or credentials. It does offer optional cookie-file support for age-restricted content (Netscape-format cookies). That is functionally justified but sensitive: cookies can contain session/authentication tokens. The script otherwise caches transcripts locally and does not declare any external secret storage. Also note yt-dlp option 'nocheckcertificate': True disables strict SSL checking for downloads — likely intended to improve reliability but reduces TLS protections.
Persistence & Privilege
The skill does not request persistent/global privileges (always:false). It creates a local venv/ and cache/ directories within the skill directory as documented, which is expected and confined to its own directory. It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: download and clean YouTube captions and let the agent summarize them. Before installing/use: 1) Review scripts/extract_transcript.py yourself (it’s included) or run it in an isolated environment; 2) If you must summarize age-restricted videos, avoid supplying your primary Google/YouTube cookies—use a throwaway account or minimal cookie export because the cookie file contains session tokens; 3) Be aware pip will fetch yt-dlp and webvtt-py from PyPI—only install packages you trust and consider running installs in a dedicated venv or container; 4) Note the script sets 'nocheckcertificate' (weakened TLS checking) and high retry counts — acceptable for robustness but reduces certificate validation; 5) AGPL-3.0 applies (see LICENSE) — be mindful of copyleft obligations if you modify or redistribute. If you want higher assurance, run the script manually on a sample URL and inspect the cached outputs before letting an agent run it autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ppjhnyz21p02qqfhxq6g3n80j0am

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments