youtube-transcript Security Report — Low Risk | ClawSafe

20 /100

youtube-transcript

Fetch and summarize transcripts from any YouTube video using yt-dlp

A straightforward YouTube transcript fetcher with minor supply-chain concern (unused dependency) and a doc-to-code mismatch on shell execution capability.

Skill Nameyoutube-transcript

Duration32.2s

Enginepi

✓

Safe to install

Remove the unused `xml2js` dependency from package.json to reduce attack surface. Consider documenting the shell:WRITE capability in SKILL.md.

Findings 2 items

Severity	Finding	Location
Low	Unused dependency increases attack surface Supply Chain package.json declares 'xml2js' as a dependency, but it is never imported or used in transcript.js. This adds an unnecessary third-party dependency without any functional benefit. `"xml2js": "^0.6.2"` → Remove xml2js from the dependencies array if it is not used. Alternatively, remove it from package.json if only present as a transitive dependency.	`package.json:16`
Low	Shell:WRITE capability not declared in SKILL.md Doc Mismatch SKILL.md states the skill 'uses yt-dlp' but does not explicitly declare that it invokes shell commands via execSync and spawnSync. The skill effectively uses shell:WRITE through tool invocations, which should be declared. `No declaration of shell execution capability` → Add a Permissions section to SKILL.md listing shell:WRITE (for yt-dlp invocation) and filesystem:READ (for tmp file access).	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	transcript.js:59 execSync('which yt-dlp'), transcript.js:75 spawnSync(ytdlp, [..…
Filesystem	`NONE`	`READ`	✗ Violation	transcript.js:80 fs.readFileSync(outFile), transcript.js:81 fs.unlinkSync(outFil…
Network	`READ`	`READ`	✓ Aligned	transcript.js:75 yt-dlp fetches captions via YouTube — correctly declared
Environment	`NONE`	`NONE`	—	No env access beyond PATH lookup for yt-dlp binary

3 findings

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=LAdJsmTe8LM

SKILL.md:37

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=$

transcript.js:76

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=abc123

transcript.js:118

File Tree

4 files · 13.1 KB · 436 lines

JSON 2f · 260L JavaScript 1f · 138L Markdown 1f · 38L

├─ 📋 package-lock.json JSON 238L · 8.0 KB

├─ 📋 package.json JSON 22L · 520 B

├─ 📝 SKILL.md Markdown 38L · 960 B

└─ 📜 transcript.js JavaScript 138L · 3.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`xml2js`	`^0.6.2`	npm	No	Declared in package.json but NOT imported/used in transcript.js — dead dependency

Security Positives

✓ No credential harvesting or environment variable enumeration observed

✓ No base64, eval, or obfuscation patterns present

✓ No network calls to third-party hosts — only YouTube via yt-dlp

✓ File operations are scoped to os.tmpdir() only

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ URL validation present (extractVideoId function)

✓ Clean VTT sanitization with HTML tag stripping and deduplication

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives