youtube-playlist
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent and purpose-aligned, but it requires a TranscriptAPI key and sends playlist/transcript requests to TranscriptAPI.
Before installing, be comfortable sharing playlist/video queries with TranscriptAPI and storing a TranscriptAPI API key for future use. If you use the signup flow, only provide your email and OTP intentionally, and consider using a dedicated key that you can revoke.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Playlist and video identifiers may be sent to TranscriptAPI, and API requests can consume TranscriptAPI credits.
The skill uses authenticated HTTP requests to TranscriptAPI to list playlist videos. This is expected for the stated purpose, but it means playlist requests are handled by an external provider.
curl -s "https://transcriptapi.com/api/v2/youtube/playlist/videos?playlist=PL_PLAYLIST_ID" ... -H "Authorization: Bearer $TRANSCRIPT_API_KEY"
Use the skill only for playlist or video data you are comfortable querying through TranscriptAPI, and monitor credit or billing limits.
If you let the agent create an account, it will handle your email, OTP, and resulting TranscriptAPI key.
The optional setup flow has the agent create a TranscriptAPI account using the user's email and verification code. This is disclosed and user-directed, but it involves account and credential handling.
You will handle the full signup on the user's behalf. This is a two-step flow: register ... then verify ... exchanges the OTP for the API key.
Only share the OTP if you intend the agent to complete TranscriptAPI signup, and review TranscriptAPI account, privacy, and billing terms.
Future agent sessions may be able to use your TranscriptAPI account and credits until the key is removed or revoked.
The skill asks for persistent storage of the provider API key so later agent sessions can authenticate. This is purpose-aligned, but it extends credential availability beyond the current task.
Store it persistently using whatever method is correct for this environment ... available in future sessions, including non-interactive shells
Store the key in your agent's secret manager if available, use a dedicated/revocable API key, and remove or revoke it when you no longer need the skill.