ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Distiller

v2.1.0

Automatically download subtitles from YouTube/Bilibili and generate structured knowledge articles in various summary styles using AI.

0· 124·0 current·0 all-time
by@sumo0221

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sumo0221/youtube-distiller.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "YouTube Distiller" (sumo0221/youtube-distiller) from ClawHub.
Skill page: https://clawhub.ai/sumo0221/youtube-distiller
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install youtube-distiller

ClawHub CLI

Package manager switcher

npx clawhub@latest install youtube-distiller
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (download subtitles & generate summaries) matches the code's behavior, but the registry metadata claims no required env vars or binaries while the code and README clearly depend on an external yt-dlp executable and an environment variable MINIMAX_API_KEY. Hardcoded Windows paths (C:\butler_sumo\...) are used throughout, which is reasonable for a desktop tool but is not declared in the registry and may be surprising to users on other platforms.
!
Instruction Scope
SKILL.md instructs running the bundled script, which is expected, but the script reads/writes multiple local directories (library/SumoNoteBook, tools, sync_log) and will attempt to create and modify files there. It also sends subtitle text to an external API (api.minimax.io). The runtime instructions and registry metadata do not disclose the env var requirement (MINIMAX_API_KEY) or the exact filesystem locations the skill will modify.
Install Mechanism
No install spec (instruction-only) — low installation risk. However, the code expects external binaries (yt-dlp at a hardcoded path, and optionally Whisper/faster-whisper) but the registry did not declare those dependencies or provide install steps. That mismatch can lead to unexpected failures or hidden assumptions about available tooling.
!
Credentials
The repository/code expects MINIMAX_API_KEY, but the skill metadata lists no required environment variables. Worse: the README/dev docs include a long API key literal (cleartext) and an API URL, which appears to be a real credential—this is a sensitive disclosure. Requesting a single provider API key for summarization is proportional, but (1) it should be declared in metadata and (2) embedding a key in docs is a serious security problem (leak/unauthorized reuse).
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It writes files to several shared/local directories (SumoNoteBook, sync logs), which is expected for a summarizer that syncs notes, but users should be aware it will create/modify files in those hardcoded paths. There is no evidence it modifies other skills or system-wide agent settings.
What to consider before installing
This skill mostly does what it claims, but there are several red flags you should address before installing or running it: - Do not trust the embedded API key in the README/dev docs. Treat it as leaked; if you or your org ever used it, rotate/ revoke it immediately. The presence of a literal key in the repo is a security problem. - The skill needs an API key (MINIMAX_API_KEY) though the registry metadata does not declare it — expect to set that env var yourself. Only provide a key you control and are willing to use with this third-party service. - The script expects yt-dlp at a specific Windows path and uses many hardcoded C:\butler_sumo paths. If you run this on a different OS or without those directories the script could fail or create files in unexpected locations. Review and, if needed, change the paths before running. - Review the code (youtube_distiller.py) locally to confirm it only sends subtitle text to the stated API and does not exfiltrate other data. Consider running it in an isolated environment (VM/container) and monitoring outgoing network requests on first run. - If you only want local summaries, consider removing or disabling the API calls and using an offline summarizer (or supply your own provider) so you don't send data to a third-party service. Given these inconsistencies (undeclared env var and binaries, hardcoded file paths, and a leaked-looking API key), treat this skill as suspicious until the repository owner clarifies and removes the exposed credential and documents required dependencies and filesystem behavior.

Like a lobster shell, security has layers — review code before you run it.

knowledge-distillationvk974qnwr3pc2jed19w9813r89s84ddmblatestvk974qnwr3pc2jed19w9813r89s84ddmbsumonotebookvk974qnwr3pc2jed19w9813r89s84ddmbvideo-summaryvk974qnwr3pc2jed19w9813r89s84ddmbyoutubevk974qnwr3pc2jed19w9813r89s84ddmb
124downloads
0stars
2versions
Updated 2w ago
v2.1.0
MIT-0
@sumo0221
knowledge-distillationlatestsumonotebookvideo-summaryyoutube
Download

YouTube Distiller - YouTube 知識蒸餾器

版本:2.0.0 用途:將 YouTube/Bilibili 影片轉化為結構化知識文章

功能

  • 自動下載字幕:從 YouTube/Bilibili 取得字幕
  • AI 智慧摘要:使用 MiniMax API 總結內容
  • 多風格輸出:支援標準、學術、投資、新聞等格式

使用方式

python youtube_distiller.py "URL" --style standard

觸發方式(蘇茉)

蘇茉,執行知識蒸餾 https://youtu.be/xxx --style investment

風格選項

風格說明
standard標準摘要
academic學術筆記格式
actions行動清單
news新聞快訊格式
investment投資分析格式
podcast播客訪談格式
eli5通俗易懂解釋
bullets極簡子彈格式

檔案位置

C:\butler_sumo\tools\youtube-distiller\

Comments

Loading comments...