← 返回 Skills 市场
141
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install youtube-assistant
功能描述
Fetch YouTube video transcripts, metadata, and channel info with AI-powered summarization, key takeaway extraction, and multi-video analysis. Powered by evol...
安全使用建议
This skill appears to be what it claims: it uses yt-dlp + Python locally to get subtitles/metadata and only sends transcript text to Evolink (api.evolink.ai) when you opt into AI features by setting EVOLINK_API_KEY. Before installing: 1) decide whether you trust Evolink to process transcripts (AI features will transmit full transcript text); 2) confirm you want to install yt-dlp and have python3/curl available; 3) note small metadata inconsistencies (registry summary omits declared requirements) and a harmless installer typo — consider installing in a sandbox or review the scripts yourself if you have concerns; 4) prefer installing from the upstream GitHub repo listed in the README if you want provenance rather than an unknown registry snapshot.
功能分析
Type: OpenClaw Skill
Name: youtube-assistant
Version: 1.0.4
The skill contains a critical command injection vulnerability in `scripts/youtube.sh` where external data (YouTube transcripts and user questions) is interpolated directly into a Python command string (`python3 -c`) using triple quotes without sanitization. This allows for arbitrary code execution if a processed video transcript or user query contains the sequence `'''`. Additionally, the skill transmits video transcripts and metadata to an external third-party API (`api.evolink.ai`) for processing. While this behavior is disclosed in `SKILL.md` and `_meta.json`, the combination of unauthenticated data transmission and the RCE vulnerability makes the bundle high-risk, despite no clear evidence of intentional malice.
能力评估
Purpose & Capability
The skill's name and description match the included scripts: yt-dlp + Python are used to fetch transcripts/metadata and an optional EVOLINK_API_KEY is used to call Evolink's API for AI features. However, the registry header at the top of the evaluation lists no required binaries or env vars whereas the SKILL.md and _meta.json explicitly require python3, yt-dlp, curl and list EVOLINK_API_KEY as optional — this is an inconsistency in metadata (likely an authoring/packaging oversight) but not a functional mismatch.
Instruction Scope
Runtime instructions and the shipped scripts are narrowly scoped to YouTube operations: extracting subtitles/metadata via yt-dlp and, only when AI commands are used, posting transcript+metadata to https://api.evolink.ai. The SKILL.md documents this data transmission and requires explicit EVOLINK_API_KEY. There are no instructions to read unrelated system files or to exfiltrate other credentials.
Install Mechanism
There is no network download of arbitrary code during install: the included npm install script copies packaged skill files into the user's workdir and updates a local lock file. No remote URLs, shorteners, or extraction-from-unknown-servers are used by the installer. The package references a GitHub repo and Evolink pages for documentation, which is expected.
Credentials
The only credential-like variable is EVOLINK_API_KEY and it is optional for AI features; that is proportionate to the described functionality. One minor issue: the installer checks CLAWHUB_WORKDIR and also a likely-typo CLAWDHUB_WORKDIR — not a credential leak but a small bug. Also, the registry summary at the top omitted required binaries/env which is inconsistent with SKILL.md/_meta.json.
Persistence & Privilege
The skill does not request permanent/always-on privilege (always: false). Installer writes skill files into a skills/ directory and updates a local .clawhub lock/origin file as expected; temporary files for transcript processing are created and removed. The skill does not modify other skills or global credentials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install youtube-assistant - 安装完成后,直接呼叫该 Skill 的名称或使用
/youtube-assistant触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
Fix metadata: add type=tool, align version, remove redundant fields to resolve security audit inconsistency
v1.0.3
Fix: switch to indented code blocks and inline code to avoid syntax highlighting color issues
v1.0.2
Fix: use text code blocks and remove inline comments for clear readability on ClawHub
v1.0.1
Fix: remove bash syntax highlighting from code blocks for better readability on ClawHub
v1.0.0
Initial release: transcript extraction, metadata, channel browsing, YouTube search, AI-powered summarization, takeaway extraction, multi-video comparison, and Q&A. Powered by EvoLink API.
元数据
常见问题
YouTube Assistant 是什么?
Fetch YouTube video transcripts, metadata, and channel info with AI-powered summarization, key takeaway extraction, and multi-video analysis. Powered by evol... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 141 次。
如何安装 YouTube Assistant?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-assistant」即可一键安装,无需额外配置。
YouTube Assistant 是免费的吗?
是的,YouTube Assistant 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
YouTube Assistant 支持哪些平台?
YouTube Assistant 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 YouTube Assistant?
由 EvolinkAI(@evolinkai)开发并维护,当前版本 v1.0.4。
推荐 Skills