ClawHub

YouTube Transcript Analyzer

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is mostly purpose-aligned, but it can automatically download and run an unpinned executable from GitHub, so users should review it before use.

This skill appears to perform the advertised YouTube transcript extraction and analysis, but before installing or running it, be aware that it may download a fresh yt-dlp executable into your home directory and run it. Safer use would involve installing yt-dlp yourself from a trusted, pinned source and verifying the binary before execution.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Medium
What this means

A user running the skill could execute whatever binary is served as the latest yt-dlp release at that time, increasing supply-chain risk if the upstream release or download path is compromised.

Why it was flagged

If yt-dlp is missing, the script fetches the latest remote executable, grants execute permission, and uses it without version pinning, checksum verification, or a separate user approval step.

Skill content
curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o "$HOME/yt-dlp"
chmod +x "$HOME/yt-dlp"
YT_DLP="$HOME/yt-dlp"
Recommendation

Pin yt-dlp to a specific reviewed version, verify checksums or signatures, declare the dependency in install metadata, and ask for explicit user confirmation before downloading and executing a new binary.

#
ASI05: Unexpected Code Execution
Low
What this means

The skill will run local commands and contact external services to retrieve captions for the YouTube URL being analyzed.

Why it was flagged

The skill executes a local downloader tool to retrieve YouTube captions. This is aligned with the skill’s purpose, but it is still local command execution and network access.

Skill content
$YT_DLP --write-auto-sub --write-sub --sub-lang en --skip-download --sub-format vtt "$VIDEO_URL" -o "temp_transcript" --quiet
Recommendation

Use the skill only for URLs you intend to analyze, and prefer a preinstalled, trusted yt-dlp binary rather than automatic download.