ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tl;dw - YouTube Video Summarizer

v1.0.2

Extract and summarize YouTube video transcripts into concise overviews with main points, arguments, and conclusions using video captions.

0· 1.4k·0 current·0 all-time
by@vovavvk·duplicate of @vovavvk/tldw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md and scripts describe extracting captions with yt-dlp, cleaning them (webvtt), caching locally, and summarizing — and the code requires exactly yt-dlp, webvtt-py, and requests. No unrelated binaries or credentials are requested.
Instruction Scope
Runtime instructions stick to extracting transcripts, parsing JSON output, and summarizing. Cookie support, cache usage, and venv setup are documented. The skill does not instruct reading unrelated system files or exfiltrating data to external endpoints beyond downloading captions/metadata from URLs returned by yt-dlp.
Install Mechanism
There is no automated install spec; SKILL.md instructs creating a local Python venv and installing packages from PyPI (yt-dlp, webvtt-py). This is a common, low-risk approach (no arbitrary archive downloads or remote installers).
Credentials
The skill declares no required environment variables or credentials. Optional cookie-file support is documented and reasonable for age-restricted content. There are no requests for unrelated secrets or system config paths.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It caches transcripts under a local cache/ directory as described (normal for this purpose).
Assessment
This skill appears to do what it claims: extract and summarize YouTube captions. Before installing, consider: - Provenance: the skill's source/homepage is unknown; verify you trust the owner or review the full repository for tampering. - License: code is AGPL-3.0 — embedding or running it may have copyleft obligations if you modify or serve it. - Cookie file handling: supplying a Netscape-format cookie file is optional but sensitive — do not provide cookies for accounts you don't want accessible. The skill reads a cookie file from its directory if present but does not appear to transmit it elsewhere. - Network activity: the script downloads caption files (URLs come from yt-dlp). If a caption URL pointed to an attacker host, the script would fetch it — run in an environment you control and inspect cached files if concerned. - SSL option: the yt-dlp options include 'nocheckcertificate': True which disables certificate checks in some cases; you may want to remove or change that setting if you require strict SSL validation. - Installation: follow the SKILL.md venv/pip steps and install packages from official PyPI; consider doing this in an isolated environment (container or dedicated venv) and review the included Python script for any local changes before running. If you need higher assurance, ask the skill author for a canonical source (GitHub URL / release) or supply a vetted cookie file and run the extractor in a sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk974adshv5sx97tnj547gsrajh80jp6h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments