← 返回 Skills 市场
aiastia

Universal Video to S3 Uploader

作者 aiastia · GitHub ↗ · v3.0.5 · MIT-0
linuxdarwin ⚠ suspicious
227
总下载
0
收藏
0
当前安装
12
版本数
在 OpenClaw 中安装
/install youtube-s3-uploader
功能描述
Download videos from YouTube, Twitter/X, TikTok, Douyin, Bilibili and upload to S3-compatible storage. Universal video downloader with smart quality selectio...
安全使用建议
This package appears to implement a video downloader → S3 uploader, but it has several red flags you should consider before installing or running it: - Do not trust the README alone: the runtime scripts expect a config at /home/node/.openclaw/workspace/.r2-upload.yml, while docs tell you to use ~/.youtube-s3-uploader.yml. Verify which config file the code will actually read so you don't accidentally leak credentials or leave them in an unexpected location. - Inspect the code locally before running. The scripts use execSync/exec to run yt-dlp, ffmpeg and curl, and they read/write files under hardcoded workspace directories. Make sure those paths are acceptable and won't expose any sensitive data on your machine or agent workspace. - Be cautious about credentials: only provide S3 keys you control and consider using a scoped, low-privilege key or a dedicated test account. Do not reuse high-privilege AWS keys. - The package contains a script that edits other script files (scripts/add-import.js). Consider removing or reviewing that behavior if you plan to run the tool. - Ensure required binaries exist at the expected locations or modify the scripts to point to safe, known paths. Alternatively, run this in an isolated environment (container or VM) where accidental exposure is contained. If you want to proceed safely, run the code in a sandbox, correct the config path to the one you control, and test with temporary, limited-permission S3 credentials.
功能分析
Type: OpenClaw Skill Name: youtube-s3-uploader Version: 3.0.5 The skill bundle contains multiple critical command injection vulnerabilities where user-provided URLs are directly interpolated into shell commands. Specifically, in 'scripts/video-to-s3-universal.js' and 'scripts/youtube-to-s3.js', the 'url' parameter is passed unsanitized to 'execSync' calls for 'yt-dlp'. Similarly, 'scripts/fixed-upload-video-to-s3.js' uses 'exec' to run 'curl' on a URL in the 'verifyUpload' function. While these flaws allow for arbitrary code execution if an attacker provides a crafted URL, they appear to be unintentional security oversights rather than intentional malware, as there is no evidence of data exfiltration or hidden backdoors.
能力标签
crypto
能力评估
Purpose & Capability
The declared purpose (download videos and upload to S3) aligns with the code's use of yt-dlp, ffmpeg and the AWS S3 SDK. However there are notable mismatches: the SKILL.md/README instructs the user to place credentials in ~/.youtube-s3-uploader.yml, while the runtime scripts expect a different config file (/home/node/.openclaw/workspace/.r2-upload.yml). Hardcoded workspace paths for yt-dlp, ffmpeg, downloads and config indicate this package was written to run inside a specific agent/container environment rather than as a general CLI, which is not explained in the documentation.
Instruction Scope
Runtime scripts call external binaries via execSync/exec (yt-dlp, ffmpeg, curl) and read/write files under hardcoded paths in /home/node/.openclaw/workspace. SKILL.md claims 'no external APIs' and instructs a user-local config but the code will look for and require a YAML config in the workspace path. The scripts will read local files, execute shell commands, and can run curl to verify URLs — behaviors consistent with a downloader but broader than the user-facing config/instructions imply and potentially surprising to non-technical users.
Install Mechanism
There is no install spec in the registry metadata (instruction-only), but the package contains Node code and package.json with dependencies (@aws-sdk/client-s3, js-yaml). Nothing in the manifest downloads arbitrary code at runtime from untrusted URLs; however there are no explicit install-time steps documented for installing Node deps or ensuring yt-dlp/ffmpeg are available at the hardcoded paths. The absence of an install recipe plus hardcoded binary locations is fragile and risky operationally.
Credentials
The skill declares no required environment variables, yet it requires S3 credentials — stored in a YAML config — to function. The documentation tells users to put credentials in ~/.youtube-s3-uploader.yml, but the runtime code reads /home/node/.openclaw/workspace/.r2-upload.yml (and other scripts default to that path). This mismatch could cause credential misplacement or accidental use of credentials in unintended locations. The package also contains a script (scripts/add-import.js) that programmatically edits another script, which increases the surface where secrets/config could be read or changed unexpectedly.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. However it includes a helper (scripts/add-import.js) that modifies code files, and other scripts write/read files under hardcoded workspace directories. These behaviors create persistence of data (downloads, config with secrets) on disk and alter local files — normal for a CLI uploader but something to be aware of before running in a sensitive environment.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install youtube-s3-uploader
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /youtube-s3-uploader 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.5
Confirm --merge-output-format mp4 for all downloads, ensure mp4 output
v3.0.4
Fix: yt-dlp path detection, add .gitignore, dependency fix
v3.0.3
- Internal improvements and small fixes to scripts for reliability and package consistency. - Updated CHANGELOG and package version to 3.0.3. - No user-facing changes or new features in this release.
v3.0.2
youtube-s3-uploader v3.0.2 - Added update-version.js script for automated version management. - Updated core scripts and metadata for improved maintainability. - Minor internal changes in video-to-s3-universal.js and youtube-to-s3.js scripts. - Updated package.json and CHANGELOG.md to reflect version changes.
v3.0.1
Universal filename cleanup and improved platform support. - Cleans and normalizes filenames by removing all punctuation, emojis, and special characters for better S3 compatibility. - Adds robust Unicode support, including Chinese punctuation and emojis. - Automatic detection of video platform (YouTube, Twitter/X, TikTok, etc.). - Universal download support for 1000+ sites via yt-dlp.
v3.0.0
v3.0.0: Universal video downloader - supports YouTube, Twitter/X, TikTok, Douyin, Bilibili and 1000+ sites via yt-dlp. New video-s3-upload command for any video platform.
v2.0.3
v2.0.3: Major improvements - readable filenames with Chinese characters preserved, intelligent quality selection prioritizing 1080p/720p, and reliable audio merging. Fixed unreadable filenames and low-quality format selection.
v2.0.2
v2.0.2: Fixed critical audio merge issues. Now prioritizes merged formats (already containing audio) and automatically uses ffmpeg when merging is required. Guarantees all downloaded videos include audio tracks.
v2.0.1
v2.0.1: Unified version with automatic quality selection and audio assurance. Simplified script architecture (2 essential scripts only). Automatically detects and downloads highest quality video with audio. Fixed Chinese character metadata issues. Single command for all YouTube videos.
v2.0.0
v2.0.0: Complete rewrite with S3 Multipart Upload for all files. Fixed help system, not backward compatible with v1.x. Always uses multipart upload, improved error handling, and better memory management.
v1.1.0
Added S3 Multipart Upload support for large files, memory optimization, error recovery, and smart method selection.
v1.0.0
Initial release: Complete YouTube to S3 workflow for personal media storage. Features one-command processing, automatic cleanup, S3-compatible storage support, and secure access patterns. Perfect for archiving favorite videos, backing up educational content, or team collaboration.
元数据
Slug youtube-s3-uploader
版本 3.0.5
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 12
常见问题

Universal Video to S3 Uploader 是什么?

Download videos from YouTube, Twitter/X, TikTok, Douyin, Bilibili and upload to S3-compatible storage. Universal video downloader with smart quality selectio... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 227 次。

如何安装 Universal Video to S3 Uploader?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-s3-uploader」即可一键安装,无需额外配置。

Universal Video to S3 Uploader 是免费的吗?

是的,Universal Video to S3 Uploader 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Universal Video to S3 Uploader 支持哪些平台?

Universal Video to S3 Uploader 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin)。

谁开发了 Universal Video to S3 Uploader?

由 aiastia(@aiastia)开发并维护,当前版本 v3.0.5。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论