ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Instant Article

v0.1.0

Transform YouTube videos into Telegraph Instant View articles with visual slides and timestamped summaries. Use this skill whenever a user shares a YouTube URL (youtube.com or youtu.be) and asks to summarize, explain, or process the video. This is the DEFAULT skill for all YouTube video requests - do NOT use the generic summarize tool for YouTube.

1· 2k·4 current·4 all-time
by@viticci
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (extract slides, summarize via an LLM, upload images, publish to telegra.ph) matches the skill name and description. Required tools (summarize, jq, curl, optionally ffmpeg) are reasonable for the task. However the registry metadata declares no required environment variables/credentials while the SKILL.md and scripts require TELEGRAPH_TOKEN and expect an OpenAI key (OPENAI_API_KEY) for summarize; that mismatch is an incoherence.
!
Instruction Scope
SKILL.md and the scripts instruct sourcing a specific .env file (SKILL.md shows an absolute path /Users/viticci/clawd/.env) and the wrapper script also sources $HOME/clawd/.env — these are surprising and out-of-band for a general skill. The scripts read local .env files and will use any secrets found there. The runtime instructions also force use of the generate.sh pipeline and the included workflow is prescriptive (e.g., 'NEVER manually create Telegraph content'), reducing user control. Network interactions are limited to expected endpoints (OpenAI via summarize tool, catbox.moe for images, and telegra.ph), but the instructions encourage automatic access to secrets from local files without declaring them in metadata.
Install Mechanism
No install spec is provided (instruction-only), so nothing is downloaded or written by an installer. That lowers supply-chain risk. The SKILL.md and scripts require third-party binaries (summarize via a tap, jq, curl, optionally ffmpeg) which is proportionate to the task. No arbitrary URL downloads or archive extraction are present in the provided files.
!
Credentials
The skill uses TELEGRAPH_TOKEN (required by generate.sh) and implicitly requires an OpenAI API key for summarization (SKILL.md and README call out OPENAI_API_KEY / GPT-5.2). Yet the registry metadata lists no required env vars or primary credential. Additionally, the scripts explicitly source a project's .env and a user-specific path ($HOME/clawd/.env and SKILL.md's /Users/viticci/clawd/.env), which could cause the skill to read secrets not declared or expected by the installer. Requiring Telegraph and OpenAI credentials is reasonable for the feature, but failing to declare them and sourcing arbitrary .env locations is disproportionate and surprising.
Persistence & Privilege
The skill is not 'always:true' and does not request elevated system privileges or modify other skills. It cleans up temporary files by default and only writes user-visible files if the user runs setup.sh (which outputs the token) or uses --debug. Nothing in the files tries to persist in agent-wide configuration or modify other skills. Autonomous invocation is enabled (default) but not by itself problematic; combined with the other concerns it increases the importance of verifying secrets handling.
What to consider before installing
Key things to consider before installing or running this skill: - Secrets are required but not declared: The scripts expect TELEGRAPH_TOKEN and the summarize workflow expects an OpenAI key (SKILL.md/README), yet the registry metadata lists no required env vars. Confirm the manifest is updated to declare these credentials before trusting the skill. - Unexpected .env sourcing: SKILL.md suggests sourcing /Users/viticci/clawd/.env and the wrapper will source $HOME/clawd/.env if present. That is unusual: the skill may read any secrets in those files. Do not run the scripts if you keep unrelated secrets in such files; instead set only the necessary env variables in a controlled shell or dedicated .env in the project directory. - Inspect network endpoints: The scripts upload images to catbox.moe and publish pages to api.telegra.ph; these are expected but are network calls that send image data and the Telegraph access token. If you have policy concerns about public image hosting or third-party storage, replace or review that behavior. - Run in a sandbox first: Execute the scripts in a controlled environment (throwaway account / container) to confirm behavior. Use a test Telegraph account and a limited OpenAI key or billing guard to avoid unexpected costs or exposure. - Request fixes from the publisher: ask the skill author to (1) declare required env vars in registry metadata (TELEGRAPH_TOKEN, OPENAI_API_KEY), (2) remove hard-coded personal paths (/Users/viticci/...) and the unexpected $HOME/clawd/.env sourcing, and (3) document exactly what is read/sent. If the author cannot justify those oddities, avoid using the skill. Confidence: medium — the code contains clear mismatches and surprising behavior, but there is no direct evidence of intentional exfiltration to unknown endpoints; the issues could be sloppy packaging or an oversight. Additional confirmation (author clarification or updated manifest) would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk973eh0pw2d65fr5mc759rj2rd7zrm6t
2kdownloads
1stars
1versions
Updated 16h ago
v0.1.0
MIT-0
@viticci
latest
Download

YouTube Instant Article

Transform YouTube videos into Telegraph Instant View articles with visual slides and timestamped summaries.

When to Use

ALWAYS use this skill when:

  • User shares a YouTube URL (any youtube.com or youtu.be link)
  • "Summarize this video"
  • "What's this video about?"
  • "Turn this into an article"
  • "Give me the gist of this video"

Only use generic summarize for:

  • Non-YouTube URLs (articles, websites, PDFs)
  • Explicit "just give me the transcript" requests

Quick Start

source /Users/viticci/clawd/.env && {baseDir}/scripts/generate.sh "$ARGUMENTS"

Options

FlagDefaultDescription
--slides-max N6Maximum slides to extract
--debugoffKeep temp files for debugging

Environment Variables

Required environment variables are loaded from /Users/viticci/clawd/.env:

  • TELEGRAPH_TOKEN - Telegraph API access token
  • OPENAI_API_KEY - For GPT-5.2 summarization

Output

Telegraph Instant View article with:

  • 📺 Video link at top
  • 🖼️ Slides interleaved with timestamped sections
  • ⏱️ Key moments with timestamps
  • 💬 Notable quotes as blockquotes
  • ✨ Proper title from YouTube

Architecture

YouTube URL
    │
    ├─► summarize --extract (get video title)
    │
    ├─► summarize --slides (extract key frames)
    │
    ├─► summarize --timestamps (GPT-5.2 summary)
    │
    ├─► catbox.moe (upload images)
    │
    └─► Telegraph API (create article)

Key Features

Image Hosting: catbox.moe

  • No API key required
  • No expiration
  • Reliable CDN
  • Direct URL embedding

LLM: OpenAI GPT-5.2

  • Fast (~4-5 seconds)
  • High quality summaries
  • Automatic timestamp extraction

Layout: Interleaved Images

  • Images distributed across timestamp sections
  • Not grouped at top
  • Each major section gets a relevant slide

⚠️ Important Notes

Instant View Timing

Telegram needs 1-2 minutes to generate Instant View for new pages. If the ⚡ button doesn't appear immediately, wait and try again.

Script Requirements

  • Uses zsh (not bash) for associative array support
  • Requires: summarize, jq, curl
  • Optional: ffmpeg (for local video processing)

Always Use the Script

NEVER manually create Telegraph content. Always use generate.sh:

  • Ensures proper h4 headers (required for Instant View)
  • Distributes images correctly
  • Extracts video title automatically

Dependencies

  • summarize v0.10.0+ (brew install steipete/tap/summarize)
  • jq (brew install jq)
  • curl (pre-installed on macOS)
  • OpenAI API key with GPT-5.2 access

Processing Time

Video LengthApprox. Time
< 15 min20-30s
15-30 min30-45s
30+ min45-60s+

Troubleshooting

"Failed to get summary"

  • Check OPENAI_API_KEY is set
  • Verify API key has GPT-5.2 access
  • Try with --debug flag

No Instant View button

  • Wait 1-2 minutes for Telegram to process
  • Verify article has content (not empty)
  • Check images loaded (visit Telegraph URL directly)

Images not showing

  • catbox.moe might be temporarily down
  • Check upload succeeded in debug output
  • Verify URLs are HTTPS

Comments

Loading comments...