Youtube → Pocket Casts

Name/description (YouTube -> Pocket Casts) matches what the files do: the script downloads a video (yt-dlp) and uploads it to Pocket Casts via its API using a user-provided refresh token and YouTube cookies. No unrelated services, binaries, or credentials are requested.

SKILL.md and the script keep to the stated task. The instructions explicitly require a Pocket Casts refresh token and YouTube cookies and explain where to store them; the script reads only those files, downloads the video to /tmp, requests a presigned upload URL from api.pocketcasts.com, PUTs the file, and deletes the local file. There is no hidden data collection or extra file-system access beyond the credentials directory and /tmp.

There is no install spec (instruction-only skill) and the code is local. The only potentially risky instruction is an optional recommendation to install deno via a remote install script (curl https://deno.land/install.sh | sh). That is standard but involves running an external install script; it's optional and not required for the core flow. The script also expects yt-dlp to be runnable via 'uvx yt-dlp' (uvx is referenced in prerequisites); ensure yt-dlp is installed and callable on your system.

The skill requests no platform-level secrets. It asks the user to provide a Pocket Casts refresh token and YouTube cookies — these are directly needed for the described flow. The skill introduces one override env var (CLAWDBOT_CREDENTIALS) which is reasonable and documented. No unrelated credentials or broad environment access are requested.

The skill does not request always:true and does not alter other skills or system-wide settings. It stores user-provided credential files under a user-owned path (~/.clawdbot/credentials/pocket-casts) and does not persist beyond that. The agent can invoke autonomously (platform default), which is expected for a user-invocable skill.