Back to skill

Security audit

YouTube Summarizer

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at summarizing YouTube videos, but it needs review because it installs and runs unpinned third-party code and automatically stores or forwards full transcripts.

Review or pin the external mcp-server-youtube-transcript dependency before installing, especially on shared or privileged hosts. Only use the skill where it is acceptable for full transcripts to be saved under /root/clawd/transcripts and potentially sent to Telegram as file attachments; consider deleting transcript files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill instructs the agent to clone and install third-party code from GitHub at runtime, which expands trust to an external repository and introduces supply-chain risk unrelated to merely summarizing a video. In this context, installing software may be functionally useful, but doing so without pinning, verification, or explicit user approval creates a real security boundary crossing.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill directs shell and Node subprocess execution to retrieve transcripts, which creates command-execution capability and writes results to a fixed file path. Even if intended for a legitimate transcript fetch, this increases risk because URL/video ID handling and shell interpolation mistakes could lead to unsafe execution patterns or misuse of the host environment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly states that full video transcripts are saved to disk and may be sent to Telegram, but it does not warn users about retention, third-party transmission, or the possibility that transcripts may contain sensitive or copyrighted content. In an agent setting, automatic collection, local storage, and external delivery of message-triggered content can create privacy, compliance, and data-handling risk, especially on shared hosts or when users do not expect persistent storage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill stores full transcripts on disk and may send them to Telegram, but the description does not clearly warn users about retention and third-party transmission. This is a real privacy and data-handling issue because transcripts can contain sensitive content, and forwarding or persisting them without explicit notice can violate user expectations or policy.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The sample output explicitly shows transcript files being written to a local path under /root without any user-facing notice about retention, access scope, or privacy implications. While this is not an exploit by itself, transcripts can contain sensitive spoken content, and undocumented persistence increases the risk of unintended disclosure on shared hosts, backups, logs, or later retrieval by other components.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The platform-specific behavior states that transcripts are saved locally for some platforms but does not warn users that the content will persist on disk or may be accessible beyond the immediate chat interaction. In a summarizer skill, transcript text may include sensitive or copyrighted material, so silent local persistence creates a privacy and data-handling weakness even if the content originates from public videos.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly states that full YouTube transcripts may be delivered to messaging platforms, but it provides no warning, consent mechanism, or privacy disclosure about transmitting potentially sensitive content to third-party services. This creates a real data-handling risk because users may trigger the skill expecting summarization only, while complete transcript contents and metadata could be forwarded externally without clear notice.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.