ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ytdlp-transcript — YouTube to Text via yt-dlp

Fetch and summarize transcripts from any YouTube video. Paste a URL and your agent reads the video for you — summarize, translate, extract insights.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 20 · 0 current installs · 0 all-time installs
by@Nerikko
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description and runtime code align: transcript.js invokes yt-dlp to download subtitles and cleans them. However the registry/manifest metadata shown at the top claims 'Required binaries: none' while SKILL.md and package.json both indicate yt-dlp is required — an inconsistency between declared requirements and actual runtime needs.
Instruction Scope
SKILL.md instructs the agent to run the included Node script and to have yt-dlp installed. The instructions and script are narrowly scoped to fetching and cleaning VTT subtitles; the script only reads/writes temp files and spawns yt-dlp to fetch captions. It does not read other system files or exfiltrate data to third-party endpoints.
!
Install Mechanism
There is no install spec (instruction-only), but the package contains both package.json and a package-lock.json that lists many dependencies not present in package.json. That mismatch is unusual: if a user runs npm install they may pull a larger dependency tree (youtubei.js, ytdl-core, etc.) than package.json implies, increasing supply-chain risk. Also some lockfile packages require newer Node engines, which could cause runtime surprises. The lack of an explicit install step plus the presence of a populated package-lock is a packaging inconsistency worth reviewing.
Credentials
The skill declares no required environment variables or credentials and the code does not access env vars beyond using standard OS temp paths. Requested permissions are proportionate to the task (reading/writing temp files and calling yt-dlp).
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide config. The agent may invoke it autonomously (platform default), which is expected for skills.
What to consider before installing
This skill appears to do what it says: run yt-dlp to download captions and clean them. Before installing or running it, note three things: 1) SKILL.md and package.json require yt-dlp, but the top-level metadata omitted that — make sure you install yt-dlp from an official source (e.g., the yt-dlp releases or your package manager) and don't assume it's already present. 2) The repo includes a package-lock.json that contains many dependencies not listed in package.json — avoid blindly running npm install without reviewing the lockfile and understanding what will be installed; consider running the single script directly with Node and an explicit yt-dlp binary instead of doing a full npm install. 3) Run the script in a sandbox or with limited privileges first (it writes temp files and spawns yt-dlp which will access the network). If you need higher assurance, ask the publisher to reconcile the metadata (declare yt-dlp as required) and to provide a minimal, consistent package-lock or remove it if not needed.
transcript.js:61
Shell command execution detected (child_process).
!
transcript.js:94
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ez9x10nftwkjyetay0tztax830179

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

youtube-transcript

Fetch and summarize transcripts from any YouTube video using yt-dlp.

Usage

Ask your agent:

  • "Get the transcript of [YouTube URL]"
  • "Summarize this video: [YouTube URL]"
  • "What is the main message of [YouTube URL]?"
  • "Translate and explain this video: [YouTube URL]"

How It Works

Uses yt-dlp to download auto-generated or manual captions from YouTube. Supports all languages — defaults to Portuguese (pt), falls back to English (en).

Requirements

  • yt-dlp installed: brew install yt-dlp
  • Node.js 18+

Script

node skills/youtube-transcript/transcript.js <youtube-url-or-id> [lang]

Example

node skills/youtube-transcript/transcript.js https://www.youtube.com/watch?v=LAdJsmTe8LM pt

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…