Video Transcript Downloader
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts match a legitimate video/transcript downloader, with the main caution that it runs local downloader tooling and lets callers pass raw yt-dlp options.
This skill appears purpose-aligned for downloading videos, audio, subtitles, and transcripts. Before installing, make sure you trust the local yt-dlp/ffmpeg/npm tooling, review the full script if available, and approve any options passed after `--` rather than letting broad yt-dlp arguments be chosen implicitly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can execute local downloader commands on your machine and create files in the chosen output directory.
The skill runs a local executable, expected for invoking yt-dlp but still important because it can perform local file and network operations.
const child = spawn(cmd, args, { cwd, stdio: ["ignore", "pipe", "pipe"] });Install yt-dlp/ffmpeg from trusted sources and run the skill only for URLs and output folders you intend to use.
Extra options after `--` may significantly change what yt-dlp does.
The skill intentionally exposes raw yt-dlp option forwarding. This is disclosed and useful, but broad options can change download behavior, file locations, network access, or credential-related yt-dlp features if a user supplies them.
Pass extra `yt-dlp` args after `--` for `transcript` fallback, `download`, `audio`, `subs`, `formats`.
Review any forwarded yt-dlp arguments before running them, especially options involving cookies, browser profiles, credentials, output paths, playlists, or bulk downloads.
The skill depends on npm package code outside the reviewed skill files.
The setup installs a third-party npm dependency. The lockfile and integrity hash reduce supply-chain ambiguity, but users still rely on external package code.
"resolved": "https://registry.npmjs.org/youtube-transcript-plus/-/youtube-transcript-plus-1.1.1.tgz", "integrity": "sha512-KmAcn7eBPMgSnPJosCaaRp6/eqOAXk9p5f5ExBf+aD0M74Hud5RzbwHVoFpR5wOS++QqrrFaFhq9eiaWqWDlXg=="
Use `npm ci` with the included lockfile and install only from a trusted registry/source.