ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube Transcript

Fetch and summarize YouTube video transcripts. Use when asked to summarize, transcribe, or extract content from YouTube videos. Handles transcript fetching via residential IP proxy to bypass YouTube's cloud IP blocks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
21 · 16.6k · 150 current installs · 152 all-time installs
byThe Zealot@xthezealot
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (fetch YouTube transcripts via a residential IP proxy) aligns with the included code and setup docs: the script binds HTTP requests to a VPN source IP and the docs explain WireGuard/residential routing. However, the skill metadata declares no required binaries/config paths while the SKILL.md and script clearly depend on system tools (wg, wg-quick, ip) and Python packages (youtube-transcript-api, requests). This mismatch is an incoherence (should declare those runtime requirements).
!
Instruction Scope
The SKILL.md and script instruct the agent/host to check and bring up a WireGuard interface, add system routing rules (ip rule add ... table 51820), and rely on a residential WireGuard server. Those are system-level network operations and can require root/sudo. The script also calls out editing /etc/wireguard on a home router. While these steps are coherent with the stated purpose (residential IP routing), they go beyond simple HTTP calls and will change host networking — an important security and operational surface that the metadata does not warn about.
Install Mechanism
There is no packaged install spec (instruction-only with a code file). That is lower install risk than arbitrary remote downloads. The repository includes source files and a setup doc that tells the user to pip install youtube-transcript-api and requests. No suspicious download URLs or obfuscated code were found in the included files.
Credentials
The skill declares no required environment variables or credentials, which is consistent with the code (it does not require API keys). However, the script requires access to system networking utilities and a configured WireGuard setup (and will attempt to run wg-quick and ip commands). Those privilege/config needs are not represented in the metadata and may require elevated permissions on the host. The setup also suggests using a residential endpoint (home router) which implies trust and possible exposure of the home network; this should be considered before use.
!
Persistence & Privilege
The skill is not marked always:true and does not attempt to persist its own auth into agent state. However, it executes commands that modify system networking (bringing up wg0, adding ip rules). Running it will require the host to allow those changes (likely root) and may alter global routing. That is a significant privilege footprint for a skill and should be explicitly acknowledged before installing/executing.
What to consider before installing
This skill appears to do what it claims (fetch transcripts by routing requests over a residential IP), but it will attempt to manipulate host networking (wg, wg-quick, ip rules) and requires Python packages (youtube-transcript-api, requests). Before installing or running it: 1) Review the scripts locally — they are included and readable. 2) Expect to need WireGuard and root privileges to bring up interfaces and add routing rules; do not run on machines where you cannot grant/revoke such privileges. 3) The metadata omits required binaries/config paths (wg, wg-quick, ip, and the WireGuard config under /etc/wireguard) — treat that as a red flag and confirm prerequisites manually. 4) Consider privacy/legal/compliance implications of routing traffic through a residential IP (and potential exposure of your home network). 5) If you only need transcript fetching without changing host networking, consider using a hosted/respected residential proxy service or running the script locally on a trusted machine behind your home network, not on a shared or production VPS. If you are unsure, run the code in an isolated sandbox or VM and do not allow it to make persistent network or system changes until you are comfortable with its behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97a9mxrr8n17adxbmnmx1eqt5801kw2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

YouTube Transcript

Fetch transcripts from YouTube videos and optionally summarize them.

Quick Start

python3 scripts/fetch_transcript.py <video_id_or_url> [languages]

Examples:

python3 scripts/fetch_transcript.py dQw4w9WgXcQ
python3 scripts/fetch_transcript.py "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
python3 scripts/fetch_transcript.py dQw4w9WgXcQ "fr,en,de"

Output: JSON with video_id, title, author, full_text, and timestamped transcript array.

Workflow

  1. Run fetch_transcript.py with video ID or URL
  2. Script checks VPN, brings it up if needed
  3. Returns JSON with full transcript text
  4. Summarize the full_text field as needed

Language Codes

Default priority: en, fr, de, es, it, pt, nl

Override with second argument: python3 scripts/fetch_transcript.py VIDEO_ID "ja,ko,zh"

Setup & Configuration

See references/SETUP.md for:

  • Python dependencies installation
  • WireGuard VPN configuration (required for cloud VPS)
  • Troubleshooting common errors
  • Alternative proxy options

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…