← 返回 Skills 市场
131
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install youtube-distiller
功能描述
Automatically download subtitles from YouTube/Bilibili and generate structured knowledge articles in various summary styles using AI.
安全使用建议
This skill mostly does what it claims, but there are several red flags you should address before installing or running it:
- Do not trust the embedded API key in the README/dev docs. Treat it as leaked; if you or your org ever used it, rotate/ revoke it immediately. The presence of a literal key in the repo is a security problem.
- The skill needs an API key (MINIMAX_API_KEY) though the registry metadata does not declare it — expect to set that env var yourself. Only provide a key you control and are willing to use with this third-party service.
- The script expects yt-dlp at a specific Windows path and uses many hardcoded C:\butler_sumo paths. If you run this on a different OS or without those directories the script could fail or create files in unexpected locations. Review and, if needed, change the paths before running.
- Review the code (youtube_distiller.py) locally to confirm it only sends subtitle text to the stated API and does not exfiltrate other data. Consider running it in an isolated environment (VM/container) and monitoring outgoing network requests on first run.
- If you only want local summaries, consider removing or disabling the API calls and using an offline summarizer (or supply your own provider) so you don't send data to a third-party service.
Given these inconsistencies (undeclared env var and binaries, hardcoded file paths, and a leaked-looking API key), treat this skill as suspicious until the repository owner clarifies and removes the exposed credential and documents required dependencies and filesystem behavior.
功能分析
Type: OpenClaw Skill
Name: youtube-distiller
Version: 2.1.0
The bundle contains a hardcoded, plaintext MiniMax API key within the development log file (youtube-knowledge-dev.md), which constitutes a significant credential leak vulnerability. While the script's primary function of summarizing YouTube videos via yt-dlp and the MiniMax API is consistent with its documentation, it employs risky practices such as using hardcoded absolute paths on the C: drive (e.g., C:\butler_sumo\...) for file operations and binary execution. These security flaws, particularly the exposed API key, warrant a suspicious classification despite the lack of clear evidence of intentional malice.
能力评估
Purpose & Capability
The name/description (download subtitles & generate summaries) matches the code's behavior, but the registry metadata claims no required env vars or binaries while the code and README clearly depend on an external yt-dlp executable and an environment variable MINIMAX_API_KEY. Hardcoded Windows paths (C:\butler_sumo\...) are used throughout, which is reasonable for a desktop tool but is not declared in the registry and may be surprising to users on other platforms.
Instruction Scope
SKILL.md instructs running the bundled script, which is expected, but the script reads/writes multiple local directories (library/SumoNoteBook, tools, sync_log) and will attempt to create and modify files there. It also sends subtitle text to an external API (api.minimax.io). The runtime instructions and registry metadata do not disclose the env var requirement (MINIMAX_API_KEY) or the exact filesystem locations the skill will modify.
Install Mechanism
No install spec (instruction-only) — low installation risk. However, the code expects external binaries (yt-dlp at a hardcoded path, and optionally Whisper/faster-whisper) but the registry did not declare those dependencies or provide install steps. That mismatch can lead to unexpected failures or hidden assumptions about available tooling.
Credentials
The repository/code expects MINIMAX_API_KEY, but the skill metadata lists no required environment variables. Worse: the README/dev docs include a long API key literal (cleartext) and an API URL, which appears to be a real credential—this is a sensitive disclosure. Requesting a single provider API key for summarization is proportional, but (1) it should be declared in metadata and (2) embedding a key in docs is a serious security problem (leak/unauthorized reuse).
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It writes files to several shared/local directories (SumoNoteBook, sync logs), which is expected for a summarizer that syncs notes, but users should be aware it will create/modify files in those hardcoded paths. There is no evidence it modifies other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install youtube-distiller - 安装完成后,直接呼叫该 Skill 的名称或使用
/youtube-distiller触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.0
新增自動同步到SumoNoteBook功能、research_index更新、sync_log記錄
v2.0.0
修復AI總結API回應解析問題
元数据
常见问题
YouTube Distiller 是什么?
Automatically download subtitles from YouTube/Bilibili and generate structured knowledge articles in various summary styles using AI. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 131 次。
如何安装 YouTube Distiller?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-distiller」即可一键安装,无需额外配置。
YouTube Distiller 是免费的吗?
是的,YouTube Distiller 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
YouTube Distiller 支持哪些平台?
YouTube Distiller 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 YouTube Distiller?
由 Sumo0221(@sumo0221)开发并维护,当前版本 v2.1.0。
推荐 Skills