youtube-to-feishu Security Report — Low Risk | ClawSafe

20 /100

youtube-to-feishu

Download YouTube video audio and upload to Feishu cloud storage

The skill performs legitimate YouTube audio download and Feishu upload functionality with no malicious behavior detected. Minor doc-to-code mismatch exists around capability declarations.

Skill Nameyoutube-to-feishu

Duration39.9s

Enginepi

✓

Safe to install

Consider explicitly declaring filesystem:WRITE (for temp directory usage) and documenting the subprocess calls to yt-dlp in SKILL.md for full transparency.

Findings 2 items

Severity	Finding	Location
Low	Missing capability declarations The SKILL.md declares NONE for filesystem but code creates temp directories and writes downloaded MP3 files. Also uses subprocess to execute yt-dlp without explicit shell:WRITE declaration. `declared NONE for filesystem` → Add 'filesystem:WRITE' and 'shell:WRITE' to capability declarations, documenting that temp files are created and yt-dlp is executed.	`SKILL.md:1`
Low	URL passed to subprocess User-provided YouTube URLs are passed directly to subprocess.run() for yt-dlp execution. While URL validation exists in index.js, the direct invocation in Python scripts accepts any argument. `subprocess.run(info_cmd, ...)` → Consider adding URL validation in Python scripts before passing to subprocess.	`youtube_upload.py:59`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	youtube_upload.py:49 - os.makedirs(temp_dir, exist_ok=True)
Shell	`NONE`	`WRITE`	✗ Violation	youtube_upload.py:59-72 - subprocess.run(["yt-dlp", ...])
Network	`READ`	`READ`	✓ Aligned	index.js:70 - url.includes("youtube.com")
Environment	`NONE`	`READ`	✓ Aligned	index.js:37 - passes process.env to child process

7 findings

🔗

Medium External URL 外部 URL

https://clawhub.ai

PUBLISH_GUIDE.md:24

🔗

Medium External URL 外部 URL

https://clawhub.ai/import

PUBLISH_GUIDE.md:71

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=VIDEO_ID

PUBLISH_GUIDE.md:103

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/youtube-to-feishu

PUBLISH_GUIDE.md:147

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=dyJUscv7b9g

README.md:45

🔗

Medium External URL 外部 URL

https://youtu.be/VIDEO_ID

README.md:51

🔗

Medium External URL 外部 URL

https://www.youtube.com/watch?v=...

index.js:70

File Tree

7 files · 24.0 KB · 890 lines

Markdown 3f · 468L Python 2f · 342L JavaScript 1f · 79L Text 1f · 1L

├─ 📜 index.js JavaScript 79L · 2.2 KB

├─ 📝 PUBLISH_GUIDE.md Markdown 194L · 4.1 KB

├─ 📝 README.md Markdown 190L · 4.3 KB

├─ 📄 requirements.txt Text 1L · 17 B

├─ 📝 SKILL.md Markdown 84L · 2.6 KB

├─ 🐍 youtube_to_feishu_complete.py Python 195L · 6.1 KB

└─ 🐍 youtube_upload.py Python 147L · 4.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`yt-dlp`	`>=2024.0.0`	pip	No	Version pinned with minimum constraint

Security Positives

✓ No credential harvesting - code does not access ~/.ssh, ~/.aws, or .env files

✓ No data exfiltration - no POST requests to external IPs with sensitive data

✓ No base64-encoded payloads or eval() calls

✓ No curl|bash remote script execution

✓ No hidden functionality in HTML comments or elsewhere

✓ yt-dlp version is pinned in requirements.txt (>=2024.0.0)

✓ URL validation exists in index.js before processing

✓ Clean temp file cleanup logic with age-based removal

✓ Documentation clearly describes the workflow and dependencies

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives