Is youtube-transcript safe?

https://clawhub.ai/xthezealot/youtube-transcript

62
CAUTION

This skill fetches YouTube transcripts via a Python script that routes traffic through a WireGuard VPN tunnel. While functionally legitimate, it poses significant risk because it executes privileged system commands (wg-quick up, ip rule add) that modify networking configuration, and the VPN tunnel creates a covert channel that could bypass network monitoring. The skill's code contains no overtly malicious behavior, but the combination of shell execution, VPN tunneling, and outbound HTTP creates infrastructure that could be weaponized through script updates.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Python script executes privileged system commands -40

fetch_transcript.py calls subprocess.run() to execute 'wg-quick up' and 'ip rule add', which modify system networking configuration. These commands typically require root privileges and alter routing tables, potentially affecting all network traffic on the host.

HIGH VPN tunnel creates covert exfiltration channel -35

The script routes all HTTP traffic through a WireGuard VPN tunnel bound to a residential IP. This means any data exfiltrated through the requests session would exit via the VPN rather than the host's default interface, potentially bypassing network monitoring and firewall rules. The SourceIPAdapter class explicitly binds all HTTP/HTTPS traffic to the VPN interface.

MEDIUM Outbound HTTP to third-party service -10

The get_video_title() function makes HTTP requests to noembed.com, a third-party oembed service. While this is functionally legitimate for fetching video metadata, the URL includes user-provided video IDs, and the response data is not validated beyond basic JSON parsing.

MEDIUM Agent instructed to run shell commands -25

SKILL.md's workflow instructs the agent to execute 'python3 scripts/fetch_transcript.py' via shell, giving the script full access to the execution environment including filesystem, environment variables, and network. The skill description is designed to trigger on common user requests ('summarize this YouTube video').

MEDIUM Sensitive files accessed during installation runtime -10

Filesystem monitoring detected reads of .env, .aws/credentials, and auth-profiles.json during the skill's installation context. While attributable to the OpenClaw runtime rather than the skill's code directly, the skill's Python script would have access to these same files when executed.

LOW Implicit privilege escalation via tool use -15

The skill's description ('Handles transcript fetching via residential IP proxy to bypass YouTube's cloud IP blocks') normalizes network infrastructure manipulation as part of its stated purpose, conditioning the agent to accept VPN and routing changes as expected behavior.

LOW Bare except clause suppresses errors silently -10

The get_video_title() function uses a bare except clause that silently swallows all exceptions, returning 'Unknown' values. This could mask network errors, DNS hijacking, or other anomalous behavior during execution.

INFO Clean clone behavior 0

No git hooks, submodules, symlinks, or install scripts detected. Filesystem events during clone are consistent with standard OpenClaw runtime initialization. No network connections attributable to the skill.

INFO Canary files untouched 0

All honeypot files (.env, SSH keys, AWS credentials canaries) remained intact with matching hashes before and after the audit.