YouTube ASR Summarize (Local)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims: locally download/transcribe a user-specified YouTube video and write summary files, with no evidence of credential theft or hidden data sharing.
Before installing, be comfortable with installing yt-dlp, ffmpeg, and faster-whisper and with the skill downloading/transcribing a YouTube video locally. Use a dedicated output folder and review generated transcripts/frames before sharing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing these dependencies gives third-party tools code execution on the local machine as part of normal setup.
The skill relies on external package managers and unpinned dependencies. This is normal for a local ASR/media workflow, but users should understand they are installing third-party software.
brew install yt-dlp ffmpeg ... pip install faster-whisper
Install only from trusted package sources, consider pinning package versions, and review dependency provenance if using this in a sensitive environment.
Running the skill can download media, invoke local binaries, and create files in the chosen output directory.
The script executes local command-line tools such as yt-dlp and ffmpeg. This is expected for downloading/transcoding media and is done with argument lists rather than shell-string execution in the visible code.
p = subprocess.run(cmd, cwd=str(cwd) if cwd else None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
Run it only for URLs you intend to process, choose a safe output directory, and ensure yt-dlp/ffmpeg are trusted installations.