Skillv0.1.0

ClawScan security

Youtube Transcript Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 12:50 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, network usage, and credential needs match its stated purpose (YouTube transcript extraction/translation); no install steps or unusual environment access are requested, but the source is anonymous so exercise normal caution when providing API keys or webhook URLs.
Guidance: This skill looks coherent for fetching/translating YouTube transcripts. Before installing or using it: only provide an API key if you trust the skill/provider (use a limited or test key if possible); avoid exposing sensitive credentials; be cautious when specifying a webhook_url — that endpoint will receive transcript data (don’t point it at an endpoint you don't control or trust); confirm the real provider/site (youtubetranscript.dev) and prefer creating/using a scoped API key there; monitor and rotate keys after use; be aware of costs/credit usage for batch or ASR jobs.

Review Dimensions

Purpose & Capability: okThe name/description describe extracting/translating YouTube transcripts and the SKILL.md provides concrete HTTP endpoints, examples, and an SDK reference that align with that purpose. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteInstructions are narrowly scoped to calling the youtubetranscript.dev API (POST /transcribe, /batch, polling endpoints, webhook support). They instruct the agent to ask the user for an API key and to optionally provide a webhook URL for async ASR results. Webhook URLs can forward data outside the agent environment — expected for this API but worth noting as a data-exfiltration vector if misused.
Install Mechanism: okNo install spec or code files are present (instruction-only). No downloads or package installs are required by the skill itself. The SKILL.md mentions an npm SDK as an example but does not attempt to install it automatically.
Credentials: noteThe skill requires an API key for youtubetranscript.dev (Authorization: Bearer ...) which is proportional to the described functionality. The skill declares no required environment variables — it expects the agent or user to supply an API key at runtime. This is reasonable, but users should avoid pasting high-privilege keys into untrusted contexts and be cautious about providing webhook URLs that accept callbacks.
Persistence & Privilege: okalways is false and the skill is instruction-only; it does not request persistent system presence or modify other skills/config. Default autonomous invocation remains allowed but not exceptional in this skill.