← Back to Skills Marketplace
436
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install youtube-channel-monitor
Description
YouTube 频道订阅+自动摘要+Telegraph 发布工具。用于: 1. 定时监控指定 YouTube 频道的新视频 2. 提取视频字幕(支持中英双语) 3. 生成可读性强的中文专栏文章 4. 自动发布到 Telegraph 并推送到 Telegram 频道 触发场景: - 用户想订阅 YouTube 频道...
Usage Guidance
Do not install or run this skill until you are comfortable with who controls the hardcoded Telegram bot. The script will publish generated content to a specific Telegram channel using a bot token embedded in the code, meaning your subscribed video summaries could be sent to an external party. Recommended actions before using: 1) Inspect and remove the hardcoded token (rotate it if it's yours), 2) Replace the hardcoded TELEGRAM_CHANNEL and token with configuration (environment variables or a user-provided config file) and document that behavior in SKILL.md, 3) Verify the absolute paths (/home/t/...) match your environment or change to use ~ or configurable workspace path, 4) Run the script in an isolated environment or sandbox first and monitor outbound network calls, 5) If you do not control the embedded bot token, consider rejecting this skill or asking the publisher to provide a version that uses user-supplied credentials. If you want, I can provide a secure patch that removes the hardcoded token and makes Telegram destination and credentials configurable.
Capability Analysis
Type: OpenClaw Skill
Name: youtube-channel-monitor
Version: 1.0.0
The skill bundle is classified as suspicious primarily due to the hardcoded Telegram bot token (`8630160870:AAFFF8xPS0muOqg8LGgMI3HalEA7ubVRIF8`) found in `scripts/youtube-monitor.py`. This constitutes a credential leak, allowing anyone with access to the skill bundle to impersonate the bot and send messages to the specified Telegram channel (`-1003899234137`). While the bot's intended use is for benign notifications, exposing this token is a significant security vulnerability. Additionally, the `SKILL.md` instructs the agent to execute `cat ~/.openclaw/workspace/youtube-channels.json`, which directly exposes local file content, a capability that could be misused.
Capability Assessment
Purpose & Capability
The code implements the stated functionality (checking channels, fetching transcripts, translating, creating Telegraph pages, pushing to Telegram). Dependencies listed in SKILL.md (yt-dlp, youtube-transcript-api, requests) match the script's behavior. However, the script hardcodes a Telegram bot token and a Telegram channel id instead of using user-provided credentials or declared environment variables, which is not proportionate to a 'user-subscribe-to-your-channels' utility and deviates from expected design.
Instruction Scope
SKILL.md instructs the agent/user to run a script and references configuration files under ~/.openclaw/workspace, but the script uses absolute paths (/home/t/.openclaw/...) which may not match the runtime environment. More importantly, the runtime actions include posting generated content to an externally owned Telegram bot/channel (hardcoded token and channel id) and creating Telegraph accounts/pages — the instructions do not make it explicit that content will be sent to someone else's Telegram, nor do they explain the hardcoded token. The script will read and write local state and token files in the workspace, which is expected, but sending content externally without clearly declared credentials is unexpected and risky.
Install Mechanism
This is an instruction-only skill with no install spec (no packages are automatically downloaded). The script expects external Python packages and yt-dlp to be installed; that matches SKILL.md. No remote install URLs or archive extracts are used.
Credentials
The skill declares no required environment variables or primary credential, yet the script contains a hardcoded Telegram bot token (token value present in code) and a hardcoded TELEGRAM_CHANNEL id (-1003899234137). It also assumes a local HTTP proxy at 127.0.0.1:7897. Requesting no credentials while embedding an actual credential is a mismatch and a red flag: it gives the skill the ability to publish/exfiltrate content to an external Telegram destination controlled by whoever owns that token.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes state files and a telegraph_token.json into the workspace directory (normal for this functionality). Autonomous invocation is allowed (platform default). Combined with the hardcoded credentials, autonomous invocation increases the blast radius because the skill could regularly push content to the external Telegram channel without further user interaction.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install youtube-channel-monitor - After installation, invoke the skill by name or use
/youtube-channel-monitor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
youtube-channel-monitor 1.0.0
- 首发版本:支持定时监控指定 YouTube 频道的新视频,自动生成中英文摘要并发布到 Telegraph 和 Telegram 频道
- 自动获取中文字幕,英文字幕自动翻译为中文
- 每小时检查,最多重试字幕获取 3 次
- 支持通过频道链接一键订阅及订阅列表管理
- 可自定义代理和推送频道等参数
Metadata
Frequently Asked Questions
What is Youtube Channel Monitor?
YouTube 频道订阅+自动摘要+Telegraph 发布工具。用于: 1. 定时监控指定 YouTube 频道的新视频 2. 提取视频字幕(支持中英双语) 3. 生成可读性强的中文专栏文章 4. 自动发布到 Telegraph 并推送到 Telegram 频道 触发场景: - 用户想订阅 YouTube 频道... It is an AI Agent Skill for Claude Code / OpenClaw, with 436 downloads so far.
How do I install Youtube Channel Monitor?
Run "/install youtube-channel-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Youtube Channel Monitor free?
Yes, Youtube Channel Monitor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Youtube Channel Monitor support?
Youtube Channel Monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Youtube Channel Monitor?
It is built and maintained by subwukong (@subwukong); the current version is v1.0.0.
More Skills