← 返回 Skills 市场
436
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install youtube-channel-monitor
功能描述
YouTube 频道订阅+自动摘要+Telegraph 发布工具。用于: 1. 定时监控指定 YouTube 频道的新视频 2. 提取视频字幕(支持中英双语) 3. 生成可读性强的中文专栏文章 4. 自动发布到 Telegraph 并推送到 Telegram 频道 触发场景: - 用户想订阅 YouTube 频道...
安全使用建议
Do not install or run this skill until you are comfortable with who controls the hardcoded Telegram bot. The script will publish generated content to a specific Telegram channel using a bot token embedded in the code, meaning your subscribed video summaries could be sent to an external party. Recommended actions before using: 1) Inspect and remove the hardcoded token (rotate it if it's yours), 2) Replace the hardcoded TELEGRAM_CHANNEL and token with configuration (environment variables or a user-provided config file) and document that behavior in SKILL.md, 3) Verify the absolute paths (/home/t/...) match your environment or change to use ~ or configurable workspace path, 4) Run the script in an isolated environment or sandbox first and monitor outbound network calls, 5) If you do not control the embedded bot token, consider rejecting this skill or asking the publisher to provide a version that uses user-supplied credentials. If you want, I can provide a secure patch that removes the hardcoded token and makes Telegram destination and credentials configurable.
功能分析
Type: OpenClaw Skill
Name: youtube-channel-monitor
Version: 1.0.0
The skill bundle is classified as suspicious primarily due to the hardcoded Telegram bot token (`8630160870:AAFFF8xPS0muOqg8LGgMI3HalEA7ubVRIF8`) found in `scripts/youtube-monitor.py`. This constitutes a credential leak, allowing anyone with access to the skill bundle to impersonate the bot and send messages to the specified Telegram channel (`-1003899234137`). While the bot's intended use is for benign notifications, exposing this token is a significant security vulnerability. Additionally, the `SKILL.md` instructs the agent to execute `cat ~/.openclaw/workspace/youtube-channels.json`, which directly exposes local file content, a capability that could be misused.
能力评估
Purpose & Capability
The code implements the stated functionality (checking channels, fetching transcripts, translating, creating Telegraph pages, pushing to Telegram). Dependencies listed in SKILL.md (yt-dlp, youtube-transcript-api, requests) match the script's behavior. However, the script hardcodes a Telegram bot token and a Telegram channel id instead of using user-provided credentials or declared environment variables, which is not proportionate to a 'user-subscribe-to-your-channels' utility and deviates from expected design.
Instruction Scope
SKILL.md instructs the agent/user to run a script and references configuration files under ~/.openclaw/workspace, but the script uses absolute paths (/home/t/.openclaw/...) which may not match the runtime environment. More importantly, the runtime actions include posting generated content to an externally owned Telegram bot/channel (hardcoded token and channel id) and creating Telegraph accounts/pages — the instructions do not make it explicit that content will be sent to someone else's Telegram, nor do they explain the hardcoded token. The script will read and write local state and token files in the workspace, which is expected, but sending content externally without clearly declared credentials is unexpected and risky.
Install Mechanism
This is an instruction-only skill with no install spec (no packages are automatically downloaded). The script expects external Python packages and yt-dlp to be installed; that matches SKILL.md. No remote install URLs or archive extracts are used.
Credentials
The skill declares no required environment variables or primary credential, yet the script contains a hardcoded Telegram bot token (token value present in code) and a hardcoded TELEGRAM_CHANNEL id (-1003899234137). It also assumes a local HTTP proxy at 127.0.0.1:7897. Requesting no credentials while embedding an actual credential is a mismatch and a red flag: it gives the skill the ability to publish/exfiltrate content to an external Telegram destination controlled by whoever owns that token.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes state files and a telegraph_token.json into the workspace directory (normal for this functionality). Autonomous invocation is allowed (platform default). Combined with the hardcoded credentials, autonomous invocation increases the blast radius because the skill could regularly push content to the external Telegram channel without further user interaction.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install youtube-channel-monitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/youtube-channel-monitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
youtube-channel-monitor 1.0.0
- 首发版本:支持定时监控指定 YouTube 频道的新视频,自动生成中英文摘要并发布到 Telegraph 和 Telegram 频道
- 自动获取中文字幕,英文字幕自动翻译为中文
- 每小时检查,最多重试字幕获取 3 次
- 支持通过频道链接一键订阅及订阅列表管理
- 可自定义代理和推送频道等参数
元数据
常见问题
Youtube Channel Monitor 是什么?
YouTube 频道订阅+自动摘要+Telegraph 发布工具。用于: 1. 定时监控指定 YouTube 频道的新视频 2. 提取视频字幕(支持中英双语) 3. 生成可读性强的中文专栏文章 4. 自动发布到 Telegraph 并推送到 Telegram 频道 触发场景: - 用户想订阅 YouTube 频道... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 436 次。
如何安装 Youtube Channel Monitor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-channel-monitor」即可一键安装,无需额外配置。
Youtube Channel Monitor 是免费的吗?
是的,Youtube Channel Monitor 完全免费(开源免费),可自由下载、安装和使用。
Youtube Channel Monitor 支持哪些平台?
Youtube Channel Monitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Youtube Channel Monitor?
由 subwukong(@subwukong)开发并维护,当前版本 v1.0.0。
推荐 Skills