ClawHub

custom-youtube-summarize

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it runs a local Python script to fetch a YouTube transcript and asks the LLM to summarize it.

Install only if you are comfortable with a local Python script making network requests to YouTube and sending the retrieved transcript text to the LLM for summarization. Do not use it for sensitive private video content unless that data flow is acceptable, and do not provide proxy credentials unless you intentionally use the bundled library outside this skill's documented flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to execute a Python script and states that installed libraries are already available, which implies shell execution, filesystem access, and network access, yet no permissions are declared. This creates a transparency and policy-enforcement gap: an agent or platform may allow the skill to run without users or reviewers understanding that it can fetch remote content and execute local code.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented behavior says the skill extracts a transcript and summarizes it, but the described runtime flow emits the full raw transcript and relies on a later LLM step for summarization, which is a meaningful behavior mismatch. Combined with mention of bundled unrelated third-party libraries, this increases supply-chain and hidden-capability risk because reviewers cannot easily determine what code is present or whether it performs additional network or parsing actions beyond the stated purpose.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
The worker performs fetch(event.data.url, event.data.fetchParams) on attacker-controlled message data with no allowlist, origin restriction, or validation. In a skill whose stated purpose is only YouTube transcript extraction/summarization, this creates an unjustified arbitrary network request primitive that could be abused for unintended external requests, data access within the browser security model, or expansion of the skill's capabilities beyond its declared scope.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This code explicitly supports rotating residential proxies, retry-on-block behavior, and country-based IP selection to work around YouTube blocking and location restrictions. In a skill whose stated purpose is only transcript extraction and summarization, these features materially expand the capability toward access-control evasion and make abuse easier even if the implementation itself is not directly malicious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI accepts proxy usernames and passwords directly as command-line arguments, which commonly exposes secrets through shell history, process listings, job control tools, and audit logs. In this skill context, users may run the summarizer on shared machines or CI environments, making accidental credential disclosure more likely even though the feature itself appears intended for legitimate proxy support.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal