Back to skill

Security audit

YouTube Transcript Extractor by AkkuAlle

Security checks across malware telemetry and agentic risk

Overview

This is a simple YouTube transcript helper with expected external API use and no evidence of hidden, destructive, or persistent behavior.

Install only if you are comfortable using a YouTube API key and sending requested video identifiers or URLs to YouTube/Google or optional transcript tools. Use a restricted API key, keep the .env file private, and verify any local helper, Python package, or yt-dlp command before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill instructs users to configure a YouTube API key but does not clearly warn that requests and video identifiers will be sent to Google or other third-party services. This creates a transparency and privacy issue: users may unknowingly transmit request metadata externally, especially since the skill also suggests alternative external tools and services.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.