← Back to Skills Marketplace
Withme Youtube
by
kylin19860916
· GitHub ↗
· v2.1.0
· MIT-0
247
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install withme-youtube
Description
With me. YouTube 频道 Lofi 氛围视频制作全流程。小米(Content)全权调度,从选题到发布一条龙。含 AI 图片生成、Envato 音频下载、FFmpeg 合成、SEO 资料包、YouTube 上传排程、Shorts 切片。触发词:withme、lofi视频、氛围视频、YouTube发布、...
Usage Guidance
What to check before installing or running this skill:
- Ask the author to explicitly declare required credentials and files (e.g., GEMINI_API_KEY, path to youtube_client_secret.json or a GOOGLE_CLIENT_* env, Envato account) in the skill metadata. Do not rely on the skill reading ~/.openclaw/openclaw.json or other shared files implicitly.
- Review any external scripts the SKILL.md executes (generate_image.py, youtube_upload.py) before running them. Those scripts run with your account privileges and could exfiltrate keys or delete files.
- Confirm where youtube_client_secret.json and the Envato account credentials are stored and whether you're comfortable granting the skill access. Prefer explicit env variables or OAuth flows rather than the agent reading other skills' files.
- The skill instructs use of the Chrome DevTools Protocol (127.0.0.1:18800 and webSocketDebuggerUrl) and Page.setDownloadBehavior to automate downloads. Ensure the browser/CDP endpoint is not exposed to untrusted networks and that you trust the automation flow — CDP access can be powerful and used to drive downloads or click arbitrary buttons.
- Run the workflow in a sandboxed environment or test account first (no production Google account) to verify behavior and to ensure it doesn't leak credentials or upload unintended content.
- If you still want to use this skill, request the author update SKILL.md/metadata to list all required credentials and the exact external scripts, and provide/verifiy the source for those scripts so you can audit them.
Why this is rated suspicious (not outright malicious): The actions described are consistent with legitimate automation for producing and uploading videos, but the skill omits explicit declarations of sensitive dependencies and instructs access to local secret/config files and CDP. That mismatch could be benign oversight or sloppy engineering — but it also increases the risk of secret exposure, so proceed with caution.
Capability Analysis
Type: OpenClaw Skill
Name: withme-youtube
Version: 2.1.0
The skill bundle automates a complex YouTube video production pipeline but contains instructions in SKILL.md to intentionally bypass the 'Main' agent's oversight and inspection mechanism (pending.json). It features high-risk behaviors including programmatically extracting API keys from local configuration files (~/.openclaw/openclaw.json) and using Chrome DevTools Protocol (CDP) via websockets to manipulate browser behavior, automate downloads, and circumvent Cloudflare protections. While these actions support the stated automation goals, the circumvention of security gates and direct handling of sensitive credentials represent significant risks.
Capability Assessment
Purpose & Capability
The high-level purpose (AI image generation, Envato audio download, FFmpeg composition, SEO, and YouTube upload) is consistent with the listed steps and included FFmpeg template. However the SKILL.md expects access to local shared scripts/files and services that are not declared as requirements: it reads ~/.openclaw/openclaw.json to get GEMINI_API_KEY, expects ~/.openclaw/shared/generate_image.py and ~/.openclaw/shared/youtube_upload.py to exist, and references youtube_client_secret.json and a logged-in Envato account. The skill metadata lists no required env vars or credentials — this is an incoherence (legitimate functionality but missing declared dependencies/credentials).
Instruction Scope
The runtime instructions explicitly tell the agent to: (1) read ~/.openclaw/openclaw.json to extract GEMINI_API_KEY, (2) exec local scripts at absolute paths (/Users/withme/.openclaw/shared/generate_image.py), (3) connect to local Chrome DevTools endpoints (http://127.0.0.1:18800/json and webSocketDebuggerUrl) and call Page.setDownloadBehavior to permit downloads, and (4) read/write files like ~/.openclaw/shared/upload-queue.json and youtube_client_secret.json. These actions access sensitive local credentials and local debugger endpoints and could expose secrets or enable arbitrary downloads; they go beyond simple 'run ffmpeg' instructions and should have been declared and justified. The SKILL.md also instructs using exec/exec-like tools and browser/CDP workarounds to bypass Cloudflare — a potentially risky pattern.
Install Mechanism
There is no install spec; this is an instruction-only skill plus a small template script. That lowers installation risk because nothing is fetched or extracted automatically. However the instructions assume existing local scripts and environment (shared generate_image.py, youtube_upload.py, and various files), so the runtime safety depends on those external scripts which are not provided or reviewed here.
Credentials
The skill declares no required environment variables or primary credential, but the instructions require sensitive credentials/files: GEMINI API key (read from ~/.openclaw/openclaw.json), Google OAuth client secrets (~/.openclaw/shared/youtube_client_secret.json), and a logged-in Envato account (Ken account). This mismatch—requesting access to other skills' shared config and local secrets while declaring none— is disproportionate and should be corrected. The skill also references a concrete Google account email, which is a privacy detail and not an appropriate substitute for declared credentials.
Persistence & Privilege
always:false and no install spec are good, but the instructions read and write shared OpenClaw paths (~/.openclaw/shared/, memory/, upload-queue.json) and expect to use other agent-managed artifacts. Accessing and modifying these shared config/data files (and reading other skills' stored credentials) is a potential privilege boundary issue and should be explicitly declared and limited.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install withme-youtube - After installation, invoke the skill by name or use
/withme-youtube - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
Version 2.1.0
- 阶段 4“音频准备”全面更新:现在明确描述 Envato 全自动下载方案,加入 Chrome DevTools Protocol (CDP) 相关说明,并给出示例代码。
- 强调下载行为需用Page级setDownloadBehavior、须用browser工具,避免web_fetch导致403。
- 明确音频下载后自动解压与曲目发送给Ken确认。
- “全自动节点”说明同步更新,标注Envato音频搜索+下载需browser+CDP配合。
- 其他制作流程步骤未改动。
v2.0.0
v2.0: Complete rewrite. Content (小米) is now production lead. Direct exec for image gen (no pending.json), browser-based Envato downloads, updated agent routing, expanded content matrix (7 spaces), Envato search keywords.
Metadata
Frequently Asked Questions
What is Withme Youtube?
With me. YouTube 频道 Lofi 氛围视频制作全流程。小米(Content)全权调度,从选题到发布一条龙。含 AI 图片生成、Envato 音频下载、FFmpeg 合成、SEO 资料包、YouTube 上传排程、Shorts 切片。触发词:withme、lofi视频、氛围视频、YouTube发布、... It is an AI Agent Skill for Claude Code / OpenClaw, with 247 downloads so far.
How do I install Withme Youtube?
Run "/install withme-youtube" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Withme Youtube free?
Yes, Withme Youtube is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Withme Youtube support?
Withme Youtube is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Withme Youtube?
It is built and maintained by kylin19860916 (@kylin19860916); the current version is v2.1.0.
More Skills