← Back to Skills Marketplace
1105
Downloads
0
Stars
8
Active Installs
1
Versions
Install in OpenClaw
/install yt-digest
Description
Extract transcripts, summaries, chapters, and key moments from public YouTube videos without needing an API key.
Usage Guidance
This skill appears to do what it claims (extract transcripts and generate summaries) but has a couple of red flags you should consider before installing or running it:
- Command injection risk: The CLI calls yt-dlp by building shell command strings that include the user-supplied URL. If you or an agent could pass untrusted strings to this skill, a crafted input could execute arbitrary shell commands. Prefer an implementation that uses child_process.spawn with an args array or escapes input properly.
- Documentation/dependency mismatch: SKILL.md claims using YouTube's transcript API, but the code uses yt-dlp; package.json includes an npm dependency that isn't used. This looks like sloppy packaging — verify the source and prefer a provenance you trust.
- Runtime requirement: yt-dlp must be installed on the host. The script checks for it and exits if missing.
Recommendations:
1) Only run this skill in a trusted, sandboxed environment or inspect/modify the code to sanitize inputs before use.
2) If you will accept URLs from external users or other agents, patch the code to avoid shell interpolation (use spawn with an args array or properly escape quotes), or validate/strictly whitelist URLs.
3) Consider removing unused npm dependencies and aligning documentation with actual behavior before using widely.
If you want, I can suggest a safe-code patch (example: replace execSync string invocations with spawn or execFile) or produce a checklist to harden/run this skill safely.
Capability Analysis
Type: OpenClaw Skill
Name: yt-digest
Version: 1.0.0
The skill utilizes `child_process.execSync` in `src/cli.js` to execute the external `yt-dlp` command with user-provided URLs. While this capability is plausibly needed for the skill's stated purpose of extracting YouTube video information and transcripts, the direct execution of external commands with user input, even when quoted, introduces a potential command injection vulnerability if the URL is maliciously crafted or if `yt-dlp` itself has a vulnerability that could be exploited. There is no clear evidence of intentional malicious behavior such as data exfiltration or persistence, but the use of this high-risk capability warrants a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The SKILL.md says it "Uses YouTube's transcript API" (no API key) but the implementation actually calls the external binary yt-dlp to fetch video JSON and subtitles. package.json includes an npm dependency (youtube-transcript) that is not used in src/cli.js. These mismatches suggest sloppy packaging/documentation rather than outright malice, but they are inconsistent with the stated purpose.
Instruction Scope
Runtime code executes external commands via execSync (yt-dlp) with the user-supplied URL interpolated into a shell string (e.g., `yt-dlp --dump-json --no-download "${url}"`). Because the code constructs shell command strings directly from input, there's a command-injection risk if a maliciously crafted URL (or untrusted input) includes shell metacharacters or quotes. SKILL.md does not document the yt-dlp requirement (it claims using YouTube API), so an operator might not expect this shell execution behavior.
Install Mechanism
This is an instruction-only skill with no install spec. The package files are included but nothing is downloaded or extracted at install time by the registry; risk from install mechanisms is minimal.
Credentials
No environment variables, credentials, or config paths are requested. The skill only reads/writes temporary files in the OS temp directory to store subtitle files, which is proportionate to its purpose.
Persistence & Privilege
The skill does not request 'always' presence and does not modify other skills or system-wide settings. It runs as a CLI tool invoked on demand (normal behavior).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yt-digest - After installation, invoke the skill by name or use
/yt-digest - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of yt-digest — extract summaries, transcripts, and key moments from YouTube videos.
- Transcript extraction with timestamps for public YouTube videos
- AI-generated summaries of video content
- Chapter and highlight detection to identify key moments
- Optional audio output of summaries (requires sag skill)
- Simple CLI commands for transcripts, summaries, chapters, and full analysis
Metadata
Frequently Asked Questions
What is YouTube Digest?
Extract transcripts, summaries, chapters, and key moments from public YouTube videos without needing an API key. It is an AI Agent Skill for Claude Code / OpenClaw, with 1105 downloads so far.
How do I install YouTube Digest?
Run "/install yt-digest" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is YouTube Digest free?
Yes, YouTube Digest is completely free (open-source). You can download, install and use it at no cost.
Which platforms does YouTube Digest support?
YouTube Digest is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created YouTube Digest?
It is built and maintained by 0xRaini (@0xraini); the current version is v1.0.0.
More Skills