ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Description Autoposter

v1.0.1

Generate SEO-optimized YouTube timestamps from a YouTube URL or a raw transcript string, then optionally append them to the description of that specific vide...

0· 136·0 current·0 all-time
by@robj1925

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for robj1925/yt-timestamp-autoposter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Youtube Description Autoposter" (robj1925/yt-timestamp-autoposter) from ClawHub.
Skill page: https://clawhub.ai/robj1925/yt-timestamp-autoposter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install yt-timestamp-autoposter

ClawHub CLI

Package manager switcher

npx clawhub@latest install yt-timestamp-autoposter
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md are consistent with the stated purpose (generate timestamps via Gemini and post them to YouTube). However the registry metadata lists no required environment variables or primary credential, while the SKILL.md and script explicitly require a Gemini API key and a Google OAuth credentials.json/token (to write to the user's YouTube channel). The missing declaration of these credentials in the registry is an incoherence that should be clarified.
!
Instruction Scope
The SKILL.md instructs the agent to run the included Python script and to supply a Gemini API key and (for posting) a credentials.json. The script will fetch transcripts, send transcript data to Gemini (external model), and — if requested — update video descriptions directly via the YouTube Data API. The script posts updates without an interactive confirmation step and will save OAuth tokens (token.pickle). All of these actions are within the advertised purpose, but the instructions grant the skill the ability to modify an external account and transmit content to an external LLM, which deserves explicit consent and is not reflected in the registry's declared requirements.
Install Mechanism
This is an instruction-only skill with an included Python script. There is no install spec that downloads arbitrary artifacts. Dependencies are standard Python packages (youtube-transcript-api, google-generativeai, google-auth-oauthlib, google-api-python-client) and must be pip-installed by the user. No suspicious download URLs or extract steps were found.
!
Credentials
The runtime requires a Gemini API key (passed as a positional argument or environment variable in examples) and Google OAuth credentials.json for write access to a YouTube channel (script requests scope youtube.force-ssl). The registry, however, lists no required env vars or primary credential — this mismatch is problematic. Also, the tool will send transcript/video text to Gemini (external service), so providing the Gemini key exposes potentially sensitive channel content to an external LLM; that is proportionate to the stated function but sensitive and should be declared.
!
Persistence & Privilege
The skill is not force-installed (always:false), but the script performs persistent actions on first run: it runs an OAuth browser flow and writes token.pickle to scripts/ to store credentials for future runs. It will update video descriptions programmatically and performs updates without an interactive confirmation step. These behaviors are consistent with an autoposter but increase blast radius and require user caution.
What to consider before installing
This skill appears to do what it claims (generate timestamps with Gemini and optionally append them to YouTube), but there are a few important cautions: (1) the registry doesn't declare the credentials it actually needs — the script requires a Gemini API key and a Google OAuth credentials.json (desktop app) and will save token.pickle with write access to your channel; (2) posting is automatic if you run with --post (the script appends timestamps and calls videos.update without an extra confirmation), so test without --post first; (3) transcript and video text are sent to Gemini (an external LLM) so avoid sending sensitive content and consider the privacy implications; (4) only run this code from a trusted source — inspect scripts/youtube_desc_generator.py yourself (it is included) and if you proceed, create a dedicated OAuth client with the minimal required YouTube account, store credentials securely, and be ready to revoke the OAuth client or delete token.pickle if you no longer trust the skill. If the publisher can clarify why registry metadata omits the required credentials, that would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ac3awwrg22zsnek7jfesm4h849rwk
136downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
@robj1925
latest
Download

YouTube Timestamp Generator & Auto-Poster

Transforms a YouTube URL or a raw transcript string into SEO-optimized timestamps (chapters) powered by Gemini. Optionally appends the result directly to the description of a specific YouTube video or your latest upload via the YouTube Data API.

⚠️ Requirements Checklist

Before using this skill, ensure you have:

  • Python 3 installed
  • Dependencies installed: pip install youtube-transcript-api google-generativeai google-auth-oauthlib google-api-python-client
  • Gemini API Key available to pass as an argument
  • credentials.json placed in scripts/ (only required for --post — download from Google Cloud Console as an OAuth 2.0 Desktop App client)

Features

  • 🕐 SEO Timestamps: Generates 0:00-based chapters with keyword-rich, scannable labels
  • 🔗 Three Input Modes: Works from a YouTube URL, a raw transcript string, or auto-targets your latest video
  • 🚀 Smart Auto-Poster: URL mode appends to that specific video; transcript and latest modes append to your latest upload
  • 🛡️ Duplicate Prevention: The --latest mode checks for existing timestamps before attempting to generate new ones
  • 🔑 Keyword Optimization: Natural integration of primary, secondary, and LSI keywords from the transcript
  • 🧹 Clean Output: Returns only the final timestamps — no extra headings or commentary

Quick Start

Mode 1 — YouTube URL

Fetches the transcript from the video, generates SEO timestamps, and optionally appends them to the description of that specific video.

# Generate only (view output)
python scripts/youtube_desc_generator.py --url "<youtube_url>" "<gemini_api_key>"

# Generate and post to that video
python scripts/youtube_desc_generator.py --url "<youtube_url>" "<gemini_api_key>" --post

Mode 2 — Raw Transcript Text

Reads a raw transcript string, generates SEO timestamps, and optionally appends them to the description of your latest YouTube upload.

# Generate only (view output)
python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "<gemini_api_key>"

# Generate and post to latest video
python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "<gemini_api_key>" --post

Mode 3 — Latest Video

Automatically fetches your most recent video, checks if timestamps already exist (to prevent duplicates), downloads the transcript, generates SEO timestamps, and optionally appends them to the description.

# Generate and post timestamps for your latest video (if they don't already exist)
python scripts/youtube_desc_generator.py --latest "<gemini_api_key>" --post

Examples:

python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY"
python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY" --post
python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "$GEMINI_API_KEY" --post

Raw Transcript Text Format

When using --transcript, the transcript must be a string with timestamps in MM:SS format, separated by newlines:

0:00 Welcome to this video about AI agents.
0:12 Today we're going to cover what an AI agent actually is.
1:00 Let me show you a live demo of an agent booking a flight.
...

Natural Language Command Mapping

When the user speaks naturally, map their intent to the correct command using the table below. Always extract the YouTube URL or transcript text from their message and substitute it into the command.

What the user saysCommand to run
"Create timestamps for my latest video"python scripts/youtube_desc_generator.py --latest "$GEMINI_API_KEY" --post
"Generate timestamps for this video: https://youtu.be/abc123"python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY"
"Create SEO chapters from this YouTube link: https://youtu.be/abc123"python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY"
"Give me the timestamps for this video: https://youtu.be/abc123"python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY"
"Generate timestamps for this video and post it: https://youtu.be/abc123"python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY" --post
"Generate SEO timestamps and post them back to this video: https://youtu.be/abc123"python scripts/youtube_desc_generator.py --url "https://youtu.be/abc123" "$GEMINI_API_KEY" --post
"Process this transcript text: 0:00 Welcome..."python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "$GEMINI_API_KEY"
"Generate timestamps from my transcript text: 0:00 Welcome..."python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "$GEMINI_API_KEY"
"Process my transcript text and post it to my latest video: 0:00 Welcome..."python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "$GEMINI_API_KEY" --post
"Generate timestamps from my transcript and upload to YouTube: 0:00 Welcome..."python scripts/youtube_desc_generator.py --transcript "0:00 Welcome..." "$GEMINI_API_KEY" --post

Decision Rules

Use these rules to determine which command to run when the intent is ambiguous:

  • "latest video" or similar → always use --latest mode
  • URL present → always use --url mode
  • Transcript text present → always use --transcript mode
  • "post", "update", "upload", "push" anywhere in the message → add --post flag (Note: commands like "create timestamps for my latest video" imply updating it, so --post is added)
  • No --post → generate and print only, do not touch YouTube
  • --transcript --post and --latest --post → always targets the latest upload on the channel
  • --url --post → always targets that specific video

Generated Output

The script returns a single clean block — no labels or extra text:

  • SEO-Optimized Timestamps — YouTube chapters starting at 0:00 with keyword-rich labels and SEO suffix tags (e.g. (Tutorial), (Overview), (2026))

Important: Output only the final timestamps. Do not include any introductory sentences, headings, labels, preamble, or commentary before or after the output.

How It Works

URL mode:

  1. Extracts the video ID from the provided YouTube URL
  2. Fetches the English transcript via youtube-transcript-api
  3. Formats the transcript with MM:SS timestamps
  4. Sends a prompt to Gemini for timestamps
  5. Prints the timestamps
  6. (With --post) Authenticates via OAuth2 and appends the new timestamps to that specific video's description

Transcript mode:

  1. Reads the provided raw transcript text string
  2. Sends a prompt to Gemini for timestamps
  3. Prints the timestamps
  4. (With --post) Authenticates via OAuth2, finds your latest upload, and appends the new timestamps to its description

OAuth Setup (for --post only)

  1. Go to Google Cloud Console
  2. Create a project and enable the YouTube Data API v3
  3. Create OAuth 2.0 credentials (Desktop App type)
  4. Download the file as credentials.json and place it in scripts/
  5. On first run with --post, a browser window will open for you to authorize access
  6. A token.pickle file will be saved automatically for future runs

Troubleshooting

No transcript available (URL mode):

  • The video may have transcripts disabled or no English captions
  • Switch to --transcript mode with a manually prepared transcript string

Transcript text not loading (transcript mode):

  • Ensure the text format is correct
  • Each line should follow MM:SS text format

Gemini API errors:

  • Verify your API key is valid and has access to gemini-3.1-flash-lite-preview
  • Check your quota at Google AI Studio

--post not updating the video:

  • Ensure credentials.json is in the scripts/ directory
  • Delete token.pickle and re-authenticate if credentials have expired
  • Confirm the YouTube Data API v3 is enabled in your Google Cloud project

Wrong video appended to in transcript mode:

  • Transcript mode always targets your most recent upload — make sure the correct video is your latest
  • If you need to target a specific video, use --url mode instead

Privacy & Safety

⚠️ Important: The --post flag will append timestamps to a video's description automatically without manual confirmation in the CLI.

  • The script always shows you the target video title being updated
  • OAuth credentials are stored locally in token.pickle — keep this file secure
  • Revoke access anytime via your Google Account permissions

Comments

Loading comments...