Safety Report

Youtube Lecture Analyzer

Name: Youtube Lecture Analyzer
Author: wallfacer-web

Extracts and analyzes YouTube lecture subtitles to identify key points, evidence, and actionable insights for review, writing, and teaching purposes.

101Downloads

0Installs

0Stars

1Versions

Video & Audio1,618 Writing & Content1,082 Web Scraping958 Education & Learning489

Security Analysis

medium confidence

Suspicious0.08 risk

The skill mostly matches its description (fetching and summarizing YouTube transcripts) but contains unexpected and unexplained hard-coded proxy behavior and minor metadata/code inconsistencies that warrant caution before use.

Feb 27, 20263 files4 concerns

Purpose & Capabilitynote

Name/description align with using youtube-transcript-api to extract/analyze subtitles. However, the repo metadata and SKILL.md declare an HTTP proxy (127.0.0.1:26739) and list 'requests' as a dependency even though the script does not use requests; those additions are not explained by the stated purpose and are unexpected.

Instruction Scopeconcern

Runtime instructions and the included script perform only transcript fetching, text cleaning, summarization, console output, and writing a report file to disk (lecture_analysis_<video_id>.txt). But the script unconditionally sets HTTP_PROXY and HTTPS_PROXY to http://127.0.0.1:26739 before importing the transcript library — this forces all HTTP(S) traffic from the process through a local proxy without justification in the SKILL.md. Forcing a proxy is out-of-scope for a transcript analyzer and could be used to reroute network traffic if the local proxy forwards externally.

Install Mechanismnote

There is no install spec (instruction-only), which minimizes install-time risk. The package declares dependencies (youtube-transcript-api, requests) in _meta.json and SKILL.md, but there is no automated install step — the user or environment must install them. The 'requests' dependency is declared but unused in the code, an inconsistency but not itself malicious.

Credentialsconcern

The skill requests no external credentials, which is appropriate. But it forcibly sets HTTP_PROXY/HTTPS_PROXY environment variables to a localhost proxy. Requesting/forcing proxy environment variables without user consent is disproportionate to the task and is the primary security concern: if a local proxy is configured to forward traffic to an external server, transcript data (or other HTTP traffic from the process) could be routed through an attacker-controlled endpoint. No other environment variables or sensitive paths are requested.

Persistence & Privilegeok

The skill is not marked always:true, does not modify other skills, and does not persist credentials or alter agent configuration. Its only persistent effect is writing an analysis text file to the current working directory, which is expected for a CLI analysis tool.

Guidance

What to consider before installing or running this skill: - The main red flag is that the script force-sets HTTP_PROXY and HTTPS_PROXY to http://127.0.0.1:26739. That will route the skill's HTTP(S) traffic through a local proxy without asking you. If you run a local proxy that forwards to a remote server (intentionally or because of a misconfiguration), that could expose transcript data or other HTTP traffic. If you don't run such a proxy, this may be harmless but still surprising behavior. - Actionable steps: - Inspect the script yourself. If you don't need the proxy, remove or comment out the two os.environ['HTTP_PROXY'] / HTTPS_PROXY lines before running. - Run the tool in an isolated environment (throwaway VM or container) the first time, and monitor outbound connections (e.g., with netstat/tcpdump) to confirm no unexpected external traffic. - Verify the declared dependencies (youtube-transcript-api) are installed from official sources. The declared 'requests' dependency is unused — consider removing it. - Confirm the source/trust: the package metadata lists a GitHub homepage but the provided 'Source' was unknown; prefer code from a verified origin or the official author. - Because the script writes analysis files to the current directory, ensure it runs in a folder where you are comfortable creating files. - Summary recommendation: do not run this in a sensitive environment until you either remove the hard-coded proxy lines or verify the local proxy behavior. The rest of the code appears to implement the stated function, but the forced proxy is an unexplained behavior that justifies caution.

Latest Release

v1.0.0

YouTube 讲座字幕分析器 1.0.0 - 初始发布，支持从YouTube字幕自动抽取和分析讲座结构及重点 - 输出包括总论、结构地图、关键问答、核心概念、行动清单等多维信息 - 明确区分事实、观点、推断、建议，并为每个结论附原文引文 - 支持多语言字幕优先级设定和摘要提取 - 提供清晰命令行用法及依赖说明

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @wallfacer-web on ClawHub