← Back to Skills Marketplace
141
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install youtube-assistant
Description
Fetch YouTube video transcripts, metadata, and channel info with AI-powered summarization, key takeaway extraction, and multi-video analysis. Powered by evol...
Usage Guidance
This skill appears to be what it claims: it uses yt-dlp + Python locally to get subtitles/metadata and only sends transcript text to Evolink (api.evolink.ai) when you opt into AI features by setting EVOLINK_API_KEY. Before installing: 1) decide whether you trust Evolink to process transcripts (AI features will transmit full transcript text); 2) confirm you want to install yt-dlp and have python3/curl available; 3) note small metadata inconsistencies (registry summary omits declared requirements) and a harmless installer typo — consider installing in a sandbox or review the scripts yourself if you have concerns; 4) prefer installing from the upstream GitHub repo listed in the README if you want provenance rather than an unknown registry snapshot.
Capability Analysis
Type: OpenClaw Skill
Name: youtube-assistant
Version: 1.0.4
The skill contains a critical command injection vulnerability in `scripts/youtube.sh` where external data (YouTube transcripts and user questions) is interpolated directly into a Python command string (`python3 -c`) using triple quotes without sanitization. This allows for arbitrary code execution if a processed video transcript or user query contains the sequence `'''`. Additionally, the skill transmits video transcripts and metadata to an external third-party API (`api.evolink.ai`) for processing. While this behavior is disclosed in `SKILL.md` and `_meta.json`, the combination of unauthenticated data transmission and the RCE vulnerability makes the bundle high-risk, despite no clear evidence of intentional malice.
Capability Assessment
Purpose & Capability
The skill's name and description match the included scripts: yt-dlp + Python are used to fetch transcripts/metadata and an optional EVOLINK_API_KEY is used to call Evolink's API for AI features. However, the registry header at the top of the evaluation lists no required binaries or env vars whereas the SKILL.md and _meta.json explicitly require python3, yt-dlp, curl and list EVOLINK_API_KEY as optional — this is an inconsistency in metadata (likely an authoring/packaging oversight) but not a functional mismatch.
Instruction Scope
Runtime instructions and the shipped scripts are narrowly scoped to YouTube operations: extracting subtitles/metadata via yt-dlp and, only when AI commands are used, posting transcript+metadata to https://api.evolink.ai. The SKILL.md documents this data transmission and requires explicit EVOLINK_API_KEY. There are no instructions to read unrelated system files or to exfiltrate other credentials.
Install Mechanism
There is no network download of arbitrary code during install: the included npm install script copies packaged skill files into the user's workdir and updates a local lock file. No remote URLs, shorteners, or extraction-from-unknown-servers are used by the installer. The package references a GitHub repo and Evolink pages for documentation, which is expected.
Credentials
The only credential-like variable is EVOLINK_API_KEY and it is optional for AI features; that is proportionate to the described functionality. One minor issue: the installer checks CLAWHUB_WORKDIR and also a likely-typo CLAWDHUB_WORKDIR — not a credential leak but a small bug. Also, the registry summary at the top omitted required binaries/env which is inconsistent with SKILL.md/_meta.json.
Persistence & Privilege
The skill does not request permanent/always-on privilege (always: false). Installer writes skill files into a skills/ directory and updates a local .clawhub lock/origin file as expected; temporary files for transcript processing are created and removed. The skill does not modify other skills or global credentials.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install youtube-assistant - After installation, invoke the skill by name or use
/youtube-assistant - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
Fix metadata: add type=tool, align version, remove redundant fields to resolve security audit inconsistency
v1.0.3
Fix: switch to indented code blocks and inline code to avoid syntax highlighting color issues
v1.0.2
Fix: use text code blocks and remove inline comments for clear readability on ClawHub
v1.0.1
Fix: remove bash syntax highlighting from code blocks for better readability on ClawHub
v1.0.0
Initial release: transcript extraction, metadata, channel browsing, YouTube search, AI-powered summarization, takeaway extraction, multi-video comparison, and Q&A. Powered by EvoLink API.
Metadata
Frequently Asked Questions
What is YouTube Assistant?
Fetch YouTube video transcripts, metadata, and channel info with AI-powered summarization, key takeaway extraction, and multi-video analysis. Powered by evol... It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.
How do I install YouTube Assistant?
Run "/install youtube-assistant" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is YouTube Assistant free?
Yes, YouTube Assistant is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does YouTube Assistant support?
YouTube Assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created YouTube Assistant?
It is built and maintained by EvolinkAI (@evolinkai); the current version is v1.0.4.
More Skills