tl;dw - YouTube Video Summarizer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tldw Version: 1.0.2 The skill is classified as suspicious primarily due to the `nocheckcertificate: True` option set in the `ydl_opts` within `scripts/extract_transcript.py`. This setting disables SSL certificate verification, which can expose network connections to Man-in-the-Middle (MITM) attacks, even if intended for reliability. Additionally, the skill is designed to process user-provided cookie files for accessing age-restricted content, which, while a stated feature, involves handling potentially sensitive authentication data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On an intercepted or untrusted network, the extractor may not verify it is really talking to YouTube, which could expose or tamper with transcript requests and becomes more serious if YouTube session cookies are used.
The code disables TLS certificate validation for yt-dlp while also allowing a cookie file to be attached to yt-dlp requests.
'nocheckcertificate': True, # Bypass SSL issues ... self.ydl_opts['cookiefile'] = cookies_path
Keep certificate validation enabled by default. If a no-certificate-check option is needed, make it an explicit user opt-in with a clear warning and avoid allowing it when cookies are supplied.
Providing a cookie file can let the tool act with your logged-in YouTube session for videos your account can access.
The skill asks users to provide exported browser cookies for authenticated YouTube access. This is disclosed and purpose-aligned, but browser cookies are account/session credentials.
Cookie support: Can access age-restricted content with a cookie file ... export cookies from your browser ... while logged in ... Use with: `--cookies youtube_cookies.txt`
Only provide cookies when necessary, keep the cookie file private, delete it after use, and prefer a dedicated or limited browser profile if possible.
Transcript text and related video data may remain on the local machine after the summary is produced.
The skill intentionally persists transcript data on disk, which may include restricted or sensitive video content if cookies are used.
Downloaded transcripts are cached locally to avoid re-downloading
Use the cache only in a trusted location, clear it for sensitive videos, and add clear retention/cleanup instructions.
The installed dependency versions may change over time, and users rely on the current PyPI packages at setup time.
Setup installs unpinned packages from PyPI at use time instead of using a pinned install spec or lockfile.
venv/bin/pip install yt-dlp webvtt-py
Provide a pinned install spec or lockfile and document the expected dependency versions.