ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Lecture Analyzer

Extracts and analyzes YouTube lecture subtitles to identify key points, evidence, and actionable insights for review, writing, and teaching purposes.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 264 · 0 current installs · 0 all-time installs
by@wallfacer-web
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with using youtube-transcript-api to extract/analyze subtitles. However, the repo metadata and SKILL.md declare an HTTP proxy (127.0.0.1:26739) and list 'requests' as a dependency even though the script does not use requests; those additions are not explained by the stated purpose and are unexpected.
!
Instruction Scope
Runtime instructions and the included script perform only transcript fetching, text cleaning, summarization, console output, and writing a report file to disk (lecture_analysis_<video_id>.txt). But the script unconditionally sets HTTP_PROXY and HTTPS_PROXY to http://127.0.0.1:26739 before importing the transcript library — this forces all HTTP(S) traffic from the process through a local proxy without justification in the SKILL.md. Forcing a proxy is out-of-scope for a transcript analyzer and could be used to reroute network traffic if the local proxy forwards externally.
Install Mechanism
There is no install spec (instruction-only), which minimizes install-time risk. The package declares dependencies (youtube-transcript-api, requests) in _meta.json and SKILL.md, but there is no automated install step — the user or environment must install them. The 'requests' dependency is declared but unused in the code, an inconsistency but not itself malicious.
!
Credentials
The skill requests no external credentials, which is appropriate. But it forcibly sets HTTP_PROXY/HTTPS_PROXY environment variables to a localhost proxy. Requesting/forcing proxy environment variables without user consent is disproportionate to the task and is the primary security concern: if a local proxy is configured to forward traffic to an external server, transcript data (or other HTTP traffic from the process) could be routed through an attacker-controlled endpoint. No other environment variables or sensitive paths are requested.
Persistence & Privilege
The skill is not marked always:true, does not modify other skills, and does not persist credentials or alter agent configuration. Its only persistent effect is writing an analysis text file to the current working directory, which is expected for a CLI analysis tool.
What to consider before installing
What to consider before installing or running this skill: - The main red flag is that the script force-sets HTTP_PROXY and HTTPS_PROXY to http://127.0.0.1:26739. That will route the skill's HTTP(S) traffic through a local proxy without asking you. If you run a local proxy that forwards to a remote server (intentionally or because of a misconfiguration), that could expose transcript data or other HTTP traffic. If you don't run such a proxy, this may be harmless but still surprising behavior. - Actionable steps: - Inspect the script yourself. If you don't need the proxy, remove or comment out the two os.environ['HTTP_PROXY'] / HTTPS_PROXY lines before running. - Run the tool in an isolated environment (throwaway VM or container) the first time, and monitor outbound connections (e.g., with netstat/tcpdump) to confirm no unexpected external traffic. - Verify the declared dependencies (youtube-transcript-api) are installed from official sources. The declared 'requests' dependency is unused — consider removing it. - Confirm the source/trust: the package metadata lists a GitHub homepage but the provided 'Source' was unknown; prefer code from a verified origin or the official author. - Because the script writes analysis files to the current directory, ensure it runs in a folder where you are comfortable creating files. - Summary recommendation: do not run this in a sensitive environment until you either remove the hard-coded proxy lines or verify the local proxy behavior. The rest of the code appears to implement the stated function, but the forced proxy is an unexplained behavior that justifies caution.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97akn222axwjmdpk89d8nv4t981zg1s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

YouTube 讲座字幕分析器

提取讲座核心结构、关键观点、证据与可执行行动,用于复盘/写作/教学。

使用方式

# 基础用法
python scripts/analyze_lecture.py <YouTube视频ID或URL>

# 指定语言优先级
python scripts/analyze_lecture.py <YouTube视频ID或URL> "zh-cn,en"

# 仅获取摘要
python scripts/analyze_lecture.py <YouTube视频ID或URL> --summary-only

输出格式

强制规则

  1. 只基于字幕,不要补充;不确定要标注【不确定】
  2. 先去噪:合并重复观点、删除口头禅、修正口误
  3. 每个关键结论附【原文短引文】10–30字
  4. 区分:事实(Fact) / 观点(Claim) / 推断(Inference) / 建议(Recommendation)

输出结构

  • A) 一句话总论(≤25字)
  • B) 讲座结构地图(3–6段)
  • C) 5个关键问题及回答
  • D) 核心概念与关系
  • E) 可执行提炼(行动清单)
  • F) 亮点与反直觉
  • G) 盲区与待验证
  • 摘要(中文200字 + 英文200字)

依赖

  • youtube-transcript-api
  • HTTP 代理:127.0.0.1:26739

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…