YouTube Transcript Extractor

Security checks across malware telemetry and agentic risk

Overview

This skill appears focused on extracting YouTube transcripts, with some documentation mismatch around Supadata and yt-dlp but no evidence of harmful behavior.

Before installing, verify which command actually runs and whether your environment uses Supadata, yt-dlp, or only the bundled YouTube scripts. Avoid using sensitive private or internal video URLs unless you are comfortable sharing the video ID and request metadata with YouTube or any configured transcript provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states it uses a third-party service (Supadata API) as the primary extraction method and references an API key, but it does not warn users that submitted YouTube URLs/video IDs may be transmitted to an external provider. This creates a privacy and data-handling transparency issue, especially if users assume processing is local or if the videos are sensitive, private, or organization-specific.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal