YouTube Channel Parse
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could use a logged-in browser session or cookie file for YouTube requests, which may expose account-level access beyond public video fetching.
This instructs the agent to use local cookie files or browser-derived cookies to bypass YouTube access restrictions. That is purpose-related, but browser/session cookies are high-impact credentials and the artifacts do not clearly require user approval or bound the exact account/session scope.
When cookies are available in the environment, prefer passing them to `yt-dlp`. Supported recovery options: - `--cookies /path/to/cookies.txt` - `--cookies-from-browser <browser>`
Require explicit user confirmation before using cookies, document exactly which browser/account data is accessed, prefer a user-provided YouTube-only cookies file, and avoid browser-cookie extraction unless necessary.
On an untrusted network, YouTube metadata, subtitle, or audio downloads could be tampered with, and the risk is higher if session cookies are also used.
The script disables TLS certificate checks by default for yt-dlp requests. This is an unsafe default and differs from the dependency guidance that says to use this option only when the environment requires it.
"yt-dlp", "--no-check-certificates", "--flat-playlist", "--dump-single-json",
Do not use --no-check-certificates by default; make it an explicit opt-in flag with a warning, and never combine it with browser/session cookies unless the user knowingly accepts the risk.
Running the skill may download third-party Python packages and Whisper model files into the local environment.
The skill relies on runtime package resolution and model downloads rather than pinned, preinstalled dependencies. This is expected for the transcription workflow, but users should know external code/models may be fetched during execution.
uv run --with yt-dlp --with youtube-transcript-api --with faster-whisper python scripts/<script>.py ... On first use, model files may download automatically.
Pin dependency versions where possible, document trusted package/model sources, and run in an isolated environment if supply-chain reproducibility matters.