← Back to Skills Marketplace
131
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install youtube-distiller
Description
Automatically download subtitles from YouTube/Bilibili and generate structured knowledge articles in various summary styles using AI.
Usage Guidance
This skill mostly does what it claims, but there are several red flags you should address before installing or running it:
- Do not trust the embedded API key in the README/dev docs. Treat it as leaked; if you or your org ever used it, rotate/ revoke it immediately. The presence of a literal key in the repo is a security problem.
- The skill needs an API key (MINIMAX_API_KEY) though the registry metadata does not declare it — expect to set that env var yourself. Only provide a key you control and are willing to use with this third-party service.
- The script expects yt-dlp at a specific Windows path and uses many hardcoded C:\butler_sumo paths. If you run this on a different OS or without those directories the script could fail or create files in unexpected locations. Review and, if needed, change the paths before running.
- Review the code (youtube_distiller.py) locally to confirm it only sends subtitle text to the stated API and does not exfiltrate other data. Consider running it in an isolated environment (VM/container) and monitoring outgoing network requests on first run.
- If you only want local summaries, consider removing or disabling the API calls and using an offline summarizer (or supply your own provider) so you don't send data to a third-party service.
Given these inconsistencies (undeclared env var and binaries, hardcoded file paths, and a leaked-looking API key), treat this skill as suspicious until the repository owner clarifies and removes the exposed credential and documents required dependencies and filesystem behavior.
Capability Analysis
Type: OpenClaw Skill
Name: youtube-distiller
Version: 2.1.0
The bundle contains a hardcoded, plaintext MiniMax API key within the development log file (youtube-knowledge-dev.md), which constitutes a significant credential leak vulnerability. While the script's primary function of summarizing YouTube videos via yt-dlp and the MiniMax API is consistent with its documentation, it employs risky practices such as using hardcoded absolute paths on the C: drive (e.g., C:\butler_sumo\...) for file operations and binary execution. These security flaws, particularly the exposed API key, warrant a suspicious classification despite the lack of clear evidence of intentional malice.
Capability Assessment
Purpose & Capability
The name/description (download subtitles & generate summaries) matches the code's behavior, but the registry metadata claims no required env vars or binaries while the code and README clearly depend on an external yt-dlp executable and an environment variable MINIMAX_API_KEY. Hardcoded Windows paths (C:\butler_sumo\...) are used throughout, which is reasonable for a desktop tool but is not declared in the registry and may be surprising to users on other platforms.
Instruction Scope
SKILL.md instructs running the bundled script, which is expected, but the script reads/writes multiple local directories (library/SumoNoteBook, tools, sync_log) and will attempt to create and modify files there. It also sends subtitle text to an external API (api.minimax.io). The runtime instructions and registry metadata do not disclose the env var requirement (MINIMAX_API_KEY) or the exact filesystem locations the skill will modify.
Install Mechanism
No install spec (instruction-only) — low installation risk. However, the code expects external binaries (yt-dlp at a hardcoded path, and optionally Whisper/faster-whisper) but the registry did not declare those dependencies or provide install steps. That mismatch can lead to unexpected failures or hidden assumptions about available tooling.
Credentials
The repository/code expects MINIMAX_API_KEY, but the skill metadata lists no required environment variables. Worse: the README/dev docs include a long API key literal (cleartext) and an API URL, which appears to be a real credential—this is a sensitive disclosure. Requesting a single provider API key for summarization is proportional, but (1) it should be declared in metadata and (2) embedding a key in docs is a serious security problem (leak/unauthorized reuse).
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It writes files to several shared/local directories (SumoNoteBook, sync logs), which is expected for a summarizer that syncs notes, but users should be aware it will create/modify files in those hardcoded paths. There is no evidence it modifies other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install youtube-distiller - After installation, invoke the skill by name or use
/youtube-distiller - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
新增自動同步到SumoNoteBook功能、research_index更新、sync_log記錄
v2.0.0
修復AI總結API回應解析問題
Metadata
Frequently Asked Questions
What is YouTube Distiller?
Automatically download subtitles from YouTube/Bilibili and generate structured knowledge articles in various summary styles using AI. It is an AI Agent Skill for Claude Code / OpenClaw, with 131 downloads so far.
How do I install YouTube Distiller?
Run "/install youtube-distiller" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is YouTube Distiller free?
Yes, YouTube Distiller is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does YouTube Distiller support?
YouTube Distiller is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created YouTube Distiller?
It is built and maintained by Sumo0221 (@sumo0221); the current version is v2.1.0.
More Skills