tl;dw - YouTube Video Summarizer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its YouTube-summary purpose, but it disables certificate checks while also supporting browser YouTube cookies, which weakens account/session protection.
Review before installing. It appears intended to summarize YouTube transcripts, but avoid using browser cookies unless necessary, and do not use cookies with the current certificate-check bypass. If you do use it, enable normal TLS verification, install dependencies from trusted pinned versions, and clear cookies/cache after summarizing sensitive videos.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On an intercepted or untrusted network, the extractor may not verify it is really talking to YouTube, which could expose or tamper with transcript requests and becomes more serious if YouTube session cookies are used.
The code disables TLS certificate validation for yt-dlp while also allowing a cookie file to be attached to yt-dlp requests.
'nocheckcertificate': True, # Bypass SSL issues ... self.ydl_opts['cookiefile'] = cookies_path
Keep certificate validation enabled by default. If a no-certificate-check option is needed, make it an explicit user opt-in with a clear warning and avoid allowing it when cookies are supplied.
Providing a cookie file can let the tool act with your logged-in YouTube session for videos your account can access.
The skill asks users to provide exported browser cookies for authenticated YouTube access. This is disclosed and purpose-aligned, but browser cookies are account/session credentials.
Cookie support: Can access age-restricted content with a cookie file ... export cookies from your browser ... while logged in ... Use with: `--cookies youtube_cookies.txt`
Only provide cookies when necessary, keep the cookie file private, delete it after use, and prefer a dedicated or limited browser profile if possible.
Transcript text and related video data may remain on the local machine after the summary is produced.
The skill intentionally persists transcript data on disk, which may include restricted or sensitive video content if cookies are used.
Downloaded transcripts are cached locally to avoid re-downloading
Use the cache only in a trusted location, clear it for sensitive videos, and add clear retention/cleanup instructions.
The installed dependency versions may change over time, and users rely on the current PyPI packages at setup time.
Setup installs unpinned packages from PyPI at use time instead of using a pinned install spec or lockfile.
venv/bin/pip install yt-dlp webvtt-py
Provide a pinned install spec or lockfile and document the expected dependency versions.