← Back to Skills Marketplace
227
Downloads
0
Stars
0
Active Installs
12
Versions
Install in OpenClaw
/install youtube-s3-uploader
Description
Download videos from YouTube, Twitter/X, TikTok, Douyin, Bilibili and upload to S3-compatible storage. Universal video downloader with smart quality selectio...
Usage Guidance
This package appears to implement a video downloader → S3 uploader, but it has several red flags you should consider before installing or running it:
- Do not trust the README alone: the runtime scripts expect a config at /home/node/.openclaw/workspace/.r2-upload.yml, while docs tell you to use ~/.youtube-s3-uploader.yml. Verify which config file the code will actually read so you don't accidentally leak credentials or leave them in an unexpected location.
- Inspect the code locally before running. The scripts use execSync/exec to run yt-dlp, ffmpeg and curl, and they read/write files under hardcoded workspace directories. Make sure those paths are acceptable and won't expose any sensitive data on your machine or agent workspace.
- Be cautious about credentials: only provide S3 keys you control and consider using a scoped, low-privilege key or a dedicated test account. Do not reuse high-privilege AWS keys.
- The package contains a script that edits other script files (scripts/add-import.js). Consider removing or reviewing that behavior if you plan to run the tool.
- Ensure required binaries exist at the expected locations or modify the scripts to point to safe, known paths. Alternatively, run this in an isolated environment (container or VM) where accidental exposure is contained.
If you want to proceed safely, run the code in a sandbox, correct the config path to the one you control, and test with temporary, limited-permission S3 credentials.
Capability Analysis
Type: OpenClaw Skill
Name: youtube-s3-uploader
Version: 3.0.5
The skill bundle contains multiple critical command injection vulnerabilities where user-provided URLs are directly interpolated into shell commands. Specifically, in 'scripts/video-to-s3-universal.js' and 'scripts/youtube-to-s3.js', the 'url' parameter is passed unsanitized to 'execSync' calls for 'yt-dlp'. Similarly, 'scripts/fixed-upload-video-to-s3.js' uses 'exec' to run 'curl' on a URL in the 'verifyUpload' function. While these flaws allow for arbitrary code execution if an attacker provides a crafted URL, they appear to be unintentional security oversights rather than intentional malware, as there is no evidence of data exfiltration or hidden backdoors.
Capability Tags
Capability Assessment
Purpose & Capability
The declared purpose (download videos and upload to S3) aligns with the code's use of yt-dlp, ffmpeg and the AWS S3 SDK. However there are notable mismatches: the SKILL.md/README instructs the user to place credentials in ~/.youtube-s3-uploader.yml, while the runtime scripts expect a different config file (/home/node/.openclaw/workspace/.r2-upload.yml). Hardcoded workspace paths for yt-dlp, ffmpeg, downloads and config indicate this package was written to run inside a specific agent/container environment rather than as a general CLI, which is not explained in the documentation.
Instruction Scope
Runtime scripts call external binaries via execSync/exec (yt-dlp, ffmpeg, curl) and read/write files under hardcoded paths in /home/node/.openclaw/workspace. SKILL.md claims 'no external APIs' and instructs a user-local config but the code will look for and require a YAML config in the workspace path. The scripts will read local files, execute shell commands, and can run curl to verify URLs — behaviors consistent with a downloader but broader than the user-facing config/instructions imply and potentially surprising to non-technical users.
Install Mechanism
There is no install spec in the registry metadata (instruction-only), but the package contains Node code and package.json with dependencies (@aws-sdk/client-s3, js-yaml). Nothing in the manifest downloads arbitrary code at runtime from untrusted URLs; however there are no explicit install-time steps documented for installing Node deps or ensuring yt-dlp/ffmpeg are available at the hardcoded paths. The absence of an install recipe plus hardcoded binary locations is fragile and risky operationally.
Credentials
The skill declares no required environment variables, yet it requires S3 credentials — stored in a YAML config — to function. The documentation tells users to put credentials in ~/.youtube-s3-uploader.yml, but the runtime code reads /home/node/.openclaw/workspace/.r2-upload.yml (and other scripts default to that path). This mismatch could cause credential misplacement or accidental use of credentials in unintended locations. The package also contains a script (scripts/add-import.js) that programmatically edits another script, which increases the surface where secrets/config could be read or changed unexpectedly.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. However it includes a helper (scripts/add-import.js) that modifies code files, and other scripts write/read files under hardcoded workspace directories. These behaviors create persistence of data (downloads, config with secrets) on disk and alter local files — normal for a CLI uploader but something to be aware of before running in a sensitive environment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install youtube-s3-uploader - After installation, invoke the skill by name or use
/youtube-s3-uploader - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.5
Confirm --merge-output-format mp4 for all downloads, ensure mp4 output
v3.0.4
Fix: yt-dlp path detection, add .gitignore, dependency fix
v3.0.3
- Internal improvements and small fixes to scripts for reliability and package consistency.
- Updated CHANGELOG and package version to 3.0.3.
- No user-facing changes or new features in this release.
v3.0.2
youtube-s3-uploader v3.0.2
- Added update-version.js script for automated version management.
- Updated core scripts and metadata for improved maintainability.
- Minor internal changes in video-to-s3-universal.js and youtube-to-s3.js scripts.
- Updated package.json and CHANGELOG.md to reflect version changes.
v3.0.1
Universal filename cleanup and improved platform support.
- Cleans and normalizes filenames by removing all punctuation, emojis, and special characters for better S3 compatibility.
- Adds robust Unicode support, including Chinese punctuation and emojis.
- Automatic detection of video platform (YouTube, Twitter/X, TikTok, etc.).
- Universal download support for 1000+ sites via yt-dlp.
v3.0.0
v3.0.0: Universal video downloader - supports YouTube, Twitter/X, TikTok, Douyin, Bilibili and 1000+ sites via yt-dlp. New video-s3-upload command for any video platform.
v2.0.3
v2.0.3: Major improvements - readable filenames with Chinese characters preserved, intelligent quality selection prioritizing 1080p/720p, and reliable audio merging. Fixed unreadable filenames and low-quality format selection.
v2.0.2
v2.0.2: Fixed critical audio merge issues. Now prioritizes merged formats (already containing audio) and automatically uses ffmpeg when merging is required. Guarantees all downloaded videos include audio tracks.
v2.0.1
v2.0.1: Unified version with automatic quality selection and audio assurance. Simplified script architecture (2 essential scripts only). Automatically detects and downloads highest quality video with audio. Fixed Chinese character metadata issues. Single command for all YouTube videos.
v2.0.0
v2.0.0: Complete rewrite with S3 Multipart Upload for all files. Fixed help system, not backward compatible with v1.x. Always uses multipart upload, improved error handling, and better memory management.
v1.1.0
Added S3 Multipart Upload support for large files, memory optimization, error recovery, and smart method selection.
v1.0.0
Initial release: Complete YouTube to S3 workflow for personal media storage. Features one-command processing, automatic cleanup, S3-compatible storage support, and secure access patterns. Perfect for archiving favorite videos, backing up educational content, or team collaboration.
Metadata
Frequently Asked Questions
What is Universal Video to S3 Uploader?
Download videos from YouTube, Twitter/X, TikTok, Douyin, Bilibili and upload to S3-compatible storage. Universal video downloader with smart quality selectio... It is an AI Agent Skill for Claude Code / OpenClaw, with 227 downloads so far.
How do I install Universal Video to S3 Uploader?
Run "/install youtube-s3-uploader" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Universal Video to S3 Uploader free?
Yes, Universal Video to S3 Uploader is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Universal Video to S3 Uploader support?
Universal Video to S3 Uploader is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin).
Who created Universal Video to S3 Uploader?
It is built and maintained by aiastia (@aiastia); the current version is v3.0.5.
More Skills