nate-b-jones-digest 安全扫描报告 — 低风险 | ClawSafe

10 /100

nate-b-jones-digest

Monitor Nate B Jones's YouTube channel, pull each new video transcript, summarize it, and distribute the digest via email, chat, and/or document.

A legitimate YouTube channel monitoring and digest skill with fully documented workflows and no hidden malicious functionality.

技能名称nate-b-jones-digest

分析耗时44.2s

引擎pi

✓

可以安装

Approve for use. All shell operations and network calls are explicitly documented in SKILL.md. No credential harvesting or data exfiltration observed.

安全发现 2 项

严重性	安全发现	位置
低危	Capability levels not declared in frontmatter 文档欺骗 SKILL.md frontmatter does not explicitly declare resource capability levels (filesystem, network, shell, etc.). While all operations are described in the body text, the absence of formal declarations is a minor documentation gap. `--- name: nate-b-jones-digest description: Monitor Nate B Jones's YouTube channel...` → Add a capabilities section to the frontmatter listing: filesystem:WRITE, network:READ, shell:WRITE, environment:READ, skill_invoke:READ	`SKILL.md:1`
提示	Email address present in config 敏感访问 [email protected] appears in config.yml. This is a legitimate subscriber email, not a credential. `- [email protected]` → No action needed; this is expected contact info for digest delivery.	`config.yml:9`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	SKILL.md lines 60-90: writes digests, summaries, transcripts to disk
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md line 46: curl to YouTube API, line 9: YouTube channel URL
命令执行	`NONE`	`WRITE`	✓ 一致	SKILL.md lines 47-48: yt-dlp, jq; line 56: whisper CLI
环境变量	`NONE`	`READ`	✓ 一致	SKILL.md line 61: GOG_KEYRING_PASSWORD env var for Gmail auth
技能调用	`NONE`	`READ`	✓ 一致	SKILL.md lines 60-61: invokes 'gog' skill for Gmail/Docs

6 项发现

🔗

中危外部 URL 外部 URL

https://www.youtube.com/@NateBJones.

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://www.youtube.com/@NateBJones/videos

SKILL.md:32

🔗

中危外部 URL 外部 URL

https://www.youtube.com/watch?v=$VIDEO_ID

SKILL.md:46

🔗

中危外部 URL 外部 URL

https://www.youtube.com/@NateBJones

config.yml:2

🔗

中危外部 URL 外部 URL

https://www.youtube.com/watch?v=QT7W_uHjqWE

logs/QT7W_uHjqWE-summary.html:19

📧

提示邮箱邮箱地址

[email protected]

config.yml:9

目录结构

8 文件 · 36.8 KB · 884 行

Text 3f · 665L Markdown 2f · 123L YAML 2f · 59L HTML 1f · 37L

├─ ▾ 📁 logs

│ ├─ 📄 nate-b-jones-last-video.txt Text 1L · 12 B

│ ├─ 📄 QT7W_uHjqWE-summary.html HTML 37L · 2.8 KB

│ ├─ 📝 QT7W_uHjqWE-summary.md Markdown 17L · 1.8 KB

│ ├─ 📄 QT7W_uHjqWE-summary.txt Text 19L · 1.8 KB

│ └─ 📄 QT7W_uHjqWE-transcript.txt Text 645L · 24.1 KB

├─ ▾ 📁 references

│ └─ 📋 config-example.yml YAML 31L · 894 B

├─ 📋 config.yml YAML 28L · 552 B

└─ 📝 SKILL.md Markdown 106L · 4.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`youtube_transcript_api`	`*`	pip	否	Version not pinned; legitimate well-maintained library
`yt-dlp`	`*`	pip	否	Version not pinned; well-known YouTube downloader CLI
`whisper`	`*`	pip	否	Version not pinned; OpenAI's Whisper CLI

安全亮点

✓ No executable scripts present - skill is documentation-only

✓ No obfuscation, base64-encoded content, or suspicious code patterns

✓ All shell commands (yt-dlp, whisper, curl, gog) explicitly documented in SKILL.md

✓ No credential harvesting beyond GOG_KEYRING_PASSWORD for documented Gmail auth

✓ No network calls to unknown IPs - only YouTube API and documented services

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No persistence mechanisms (cron entries are optional and documented)

✓ No data exfiltration or C2 communication detected

✓ External tool dependencies (youtube_transcript_api, yt-dlp, whisper) are well-known legitimate projects

✓ Logs contain only expected output from the digest workflow