← 返回 Skills 市场
esanle

Youtube Notification Analysis

作者 esanle · GitHub ↗ · v1.0.2
cross-platform ⚠ suspicious
574
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install youtube-notification-analysis
功能描述
Analyze YouTube notifications for investment and trading insights. Use when user wants investment advice from YouTube, analyzing stock crypto or financial co...
安全使用建议
This skill is internally inconsistent in ways that matter for safety: it tells the agent to download videos and run a local speech model, and—most importantly—to execute trades via a separate skill, but it declares no binaries, install steps, or credentials. Before installing or enabling it: 1) Confirm how trading will be authorized — never give live brokerage credentials without explicit, auditable confirmation and least-privilege controls; prefer a sandbox/test account. 2) Ensure yt-dlp and whisper-cpp (and the model file) come from trusted sources and understand disk/CPU impact. 3) Require explicit human confirmation before any trade execution and audit/logging to a secure location (not world-readable /tmp). 4) Verify the tiger-trade skill (or any trading integration) separately — check what credentials it needs and how it transmits orders. 5) If you don’t want automated trades, disallow autonomous invocation for this skill or remove the trade-execution steps from its instructions. If you want a lower-risk test, run the skill in a restricted environment with no trading credentials and monitor file/network activity.
功能分析
Type: OpenClaw Skill Name: youtube-notification-analysis Version: 1.0.2 The skill is classified as suspicious due to its explicit capability to "execute trades" using a `tiger-trade` skill, which represents a high-risk financial operation. Additionally, the `SKILL.md` file contains shell commands using `yt-dlp` with unsanitized placeholders (`<video_url>`, `VIDEO_ID`), which introduces a shell injection vulnerability if the AI agent or user input is not properly sanitized. While there is no evidence of intentional malicious behavior like data exfiltration or backdoors, these combined factors present significant security risks.
能力评估
Purpose & Capability
The name/description (YouTube notification analysis for investment insights) is plausible, but the SKILL.md calls for capabilities that are not declared: it expects yt-dlp and whisper-cpp binaries and a 'tiger-trade' skill to execute trades. The registry metadata lists no required binaries, env vars, or primary credential, which is inconsistent with a skill that will download videos, run local speech models, and place trades.
Instruction Scope
Runtime instructions tell the agent to open YouTube in a browser, click a specific notification element, extract video IDs from snapshots, download videos and subtitles, run a local speech model (whisper-cpp) and then 'execute trades' using tiger-trade. The trade-execution step is out-of-band for a passive analysis skill and grants broad operational authority (network calls, account operations) without describing constraints or confirmations. Instructions also write logs to /tmp and reference local model paths (whisper-cpp/models/ggml-base.bin) not provided.
Install Mechanism
There is no install spec (instruction-only), which by itself is low risk, but the instructions assume presence of external tooling (yt-dlp, whisper-cpp binary and model files). Those are not declared as required and no safe install source is provided; the skill's workflow expects large model files and binaries that would need to be fetched/installed by the agent or operator — the absence of a vetted install mechanism is a gap.
Credentials
The skill intends to execute trades but declares no required environment variables or credentials (API keys, broker account tokens). Placing trades requires sensitive credentials and auditing/confirmation. The SKILL.md does not explain where trading credentials come from, how trades are authorized, or what permissions tiger-trade needs. This is disproportionate and risky for a user-facing skill that can act on financial accounts.
Persistence & Privilege
always:false (good). The skill is allowed to be invoked autonomously by default (platform normal). Combined with the instruction to execute trades, autonomous invocation increases potential harm if the agent is permitted to call tiger-trade without human confirmation. The skill does not request persistent system-wide changes, but it does write logs to /tmp (temporary) and expects local models — both require local storage and could leak sensitive context if not managed.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install youtube-notification-analysis
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /youtube-notification-analysis 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Removed the `/ytb_trade` command and related trigger phrase from documentation. - All other workflow and analysis steps remain unchanged.
v1.0.1
- Updated investment analysis section to clarify focus on stock, crypto, macro finance, and market trends from YouTube notifications. - No changes to workflow or commands. - Documentation now better describes the analysis scope.
v1.0.0
YouTube Notification Analysis skill initial release: - Analyze YouTube notifications for investment and trading insights. - Automates workflow: navigates notifications, extracts relevant video IDs, retrieves and transcribes subtitles, then summarizes investment advice. - Integrates with tiger-trade skill for trade execution based on analysis. - Supports subtitles extraction via yt-dlp and fallback to whisper-cpp if needed. - Targets popular crypto and finance channels for enhanced relevance. - Command triggers: `/ytb_trade` or "基于 youtube 的投资". - All analysis logs saved to `/tmp/youtube_investment_*.log`.
元数据
Slug youtube-notification-analysis
版本 1.0.2
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Youtube Notification Analysis 是什么?

Analyze YouTube notifications for investment and trading insights. Use when user wants investment advice from YouTube, analyzing stock crypto or financial co... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 574 次。

如何安装 Youtube Notification Analysis?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-notification-analysis」即可一键安装,无需额外配置。

Youtube Notification Analysis 是免费的吗?

是的,Youtube Notification Analysis 完全免费(开源免费),可自由下载、安装和使用。

Youtube Notification Analysis 支持哪些平台?

Youtube Notification Analysis 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Youtube Notification Analysis?

由 esanle(@esanle)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论