ClawHub

tl;dw - YouTube Video Summarizer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate YouTube transcript tool, but it needs review because it handles YouTube login cookies, caches transcript data, and disables certificate checking.

Review this before installing. Use it only with non-sensitive videos unless you understand the privacy implications, keep any youtube_cookies.txt file outside shared or synced folders, restrict its permissions, never commit or share it, and delete it after use. Prefer a version that removes nocheckcertificate and clearly documents where cached transcripts and metadata are stored and how to clear them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly promotes local caching of downloaded transcripts and metadata but never warns that potentially sensitive video content, titles, descriptions, and other metadata will be persisted on disk. In shared, managed, or multi-user environments this can create unintended data retention and privacy exposure, especially if users assume processing is ephemeral.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs users to export browser cookies and use them for age-restricted or members-only content, but does not warn that authenticated cookie files are highly sensitive secrets that may grant account access. If stored insecurely, reused improperly, or exposed through logs or the filesystem, they could enable unauthorized access to the user's YouTube/Google session or private content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal