把中文全渠道内容(抖音 / B站 / 小红书 / 公众号 / X / 播客)采集进个人知识库的 13 个 AI Skill:图文存图、视频转文字稿、字幕优先免 GPU,附带知识库 MCP server。 | Ingest Chinese content into your personal knowledge base — image/video routing, subtitle-first transcription, and a KB MCP server.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"chubbyskills": {
"args": [
"yt-dlp"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
平时做内容、搭个人知识库,也写一些 AI Agent / Skill 的实践。我习惯把每天刷到的好东西——视频、播客、公众号、小红书、推特——自动收进自己的知识库,让信息真正沉淀下来,而不是看完就忘。这个仓库里的工具,就是这套工作流里我自己每天在用的那几件。
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'yt-dlp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp
### Summary yt-dlp's `--exec` option is vulnerable to arbitrary command injection when handling untrusted metadata if the argument uses standard string formatting (e.g. `%(title)s`) or other unsafe conversions. An attacker could achieve remote code execution on the user's machine via maliciously crafted metadata containing quotes or other special shell characters. ### Details Since yt-dlp version 2021.04.11, the `--exec` option has supported "output template syntax", which is a superset of Pyth
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
### Summary If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. ### Details When downloading a fragmented manifest format such as an HLS or DASH strea
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as `.exe` or `.sh`) during file downloads. However, this allowlist explicitly included the unsafe extensions `.desktop`, `.ur
yt-dlp: File Downloader cookie leak with curl
### Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to [GHSA-v8mc-9377-rwjj](<https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj>) for the `curl` downloader. The vulnerable behavior is present in [yt-dlp](https://github.com/yt-dlp/yt-dlp) released since 2023.09.24. ### Details At the file download st
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
### Summary When yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. ### Impact yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / education
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
An open-source AI agent that brings the power of Gemini directly into your terminal.
An autonomous agent that conducts deep research on any data using any LLM providers
MCP Security Weekly
Get CVE alerts and security updates for Chubbyskills and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
我是 Chubby,Ai+电商的探索者
平时做内容、搭个人知识库,也写一些 AI Agent / Skill 的实践。我习惯把每天刷到的好东西——视频、播客、公众号、小红书、推特——自动收进自己的知识库,让信息真正沉淀下来,而不是看完就忘。这个仓库里的工具,就是这套工作流里我自己每天在用的那几件。
同好的话,欢迎来唠:
都是在自己项目里跑通了一段时间,确实省事,才搬出来开源的。没什么花活,就是几个挺实用的东西。
这里的每个 Skill 都是 Agent 能直接加载的结构化指令集,遵循 Agent Skills 开放标准。Claude Code、Codex、OpenCode、OpenClaw、Hermes 都能装。
一句话:把中文全渠道的内容,变成你自己的、可检索的第二大脑。
这个仓库已经从「单个 skill 能跑」推进到「个人内容采集管线」:
chubby.yaml、队列、运行状态、失败重试、每日运行报告、schema v1quickstart 首跑验收,离线打通配置、dry-run、schema 校验、平台定义、vault 索引和 MCP 前置检查下一阶段会继续补更完整的真实平台 smoke test、embedding provider 和 MCP 工作流。
git clone https://github.com/chubbyguan/chubbyskills.git
cd chubbyskills
python3 tools/chubby.py quickstart
quickstart 不会抓真实平台内容,会离线完成配置初始化、X 链接 dry-run、示例 Markdown 校验、平台定义校验、临时 vault 索引和 MCP 前置检查。完整说明见 docs/quickstart.md。
bash setup.sh
# 等同于 bash setup.sh light
轻量模式可直接使用:公众号文章、X 图文、小红书图文、行业情报雷达、知识库健康检查、content-enrich。只有视频/播客转录才需要装重依赖。
bash setup.sh video # 抖音/B站/TikTok/微博/知乎/YouTube/小红书视频/X视频
bash setup.sh podcast # 播客转录
bash setup.sh wechat # 公众号/PDF 解析增强
bash setup.sh all # 全部依赖
# 初始化 chubby.yaml、队列、状态和报告目录
python3 tools/chubby.py init
# 或直接跑 v0.8 首跑验收
python3 tools/chubby.py quickstart
# 单条采集,会写入 .chubby/runs.jsonl 并生成 runs/YYYY-MM-DD.md
python3 tools/chubby.py ingest "https://x.com/user/status/123" --dry-run
# 把链接逐行放进 inbox/links.txt 后批量执行
python3 tools/chubby.py run
# 查看最近状态 / 重试失败项
python3 tools/chubby.py status --latest
python3 tools/chubby.py retry --all-failed
# 查看平台健康度和模板覆盖
python3 tools/platform_health.py --check
python3 tools/platform_health.py --local --check
# 建立本地知识库索引并检索
python3 tools/vault_index.py index ~/Documents/ObsidianVault
python3 tools/vault_index.py search "AI Agent"
# 自动识别平台并调用对应 s
... [View full README on GitHub](https://github.com/chubbyguan/chubbyskills#readme)