YouTube Transcript Analyzer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly purpose-aligned, but it can automatically download and run an unpinned executable from GitHub, so users should review it before use.
This skill appears to perform the advertised YouTube transcript extraction and analysis, but before installing or running it, be aware that it may download a fresh yt-dlp executable into your home directory and run it. Safer use would involve installing yt-dlp yourself from a trusted, pinned source and verifying the binary before execution.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user running the skill could execute whatever binary is served as the latest yt-dlp release at that time, increasing supply-chain risk if the upstream release or download path is compromised.
If yt-dlp is missing, the script fetches the latest remote executable, grants execute permission, and uses it without version pinning, checksum verification, or a separate user approval step.
curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o "$HOME/yt-dlp" chmod +x "$HOME/yt-dlp" YT_DLP="$HOME/yt-dlp"
Pin yt-dlp to a specific reviewed version, verify checksums or signatures, declare the dependency in install metadata, and ask for explicit user confirmation before downloading and executing a new binary.
The skill will run local commands and contact external services to retrieve captions for the YouTube URL being analyzed.
The skill executes a local downloader tool to retrieve YouTube captions. This is aligned with the skill’s purpose, but it is still local command execution and network access.
$YT_DLP --write-auto-sub --write-sub --sub-lang en --skip-download --sub-format vtt "$VIDEO_URL" -o "temp_transcript" --quiet
Use the skill only for URLs you intend to analyze, and prefer a preinstalled, trusted yt-dlp binary rather than automatic download.