Back to skill

Security audit

YouTube AnyCaption Summarizer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent YouTube transcription and summarization skill, with sensitive but disclosed optional cookie use for restricted videos.

Install only if you are comfortable with yt-dlp, ffmpeg, whisper.cpp, a downloaded Whisper model, local transcript/summary files, and OpenClaw model-based summarization. Use cookie options only when needed, prefer a dedicated or exported cookie file over a primary browser profile, and avoid processing highly sensitive private videos unless your local environment and configured OpenClaw model gateway are appropriate for that content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the user to run local shell commands, read environment-dependent state, and create/write files, but it does not declare any permissions for shell, file access, or environment use. That mismatch weakens trust boundaries and can cause users or hosting systems to approve behavior they were not clearly warned about, especially given the skill also handles downloads, cookies, and local artifacts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The public description presents the skill as a YouTube transcription/summarization workflow, but the behavior reportedly also includes external agent-session messaging, session key handling, and LLM gateway invocation. Hidden or under-disclosed control/data flows are dangerous because they can transmit user data, metadata, or credentials outside the user's expectation and expand the attack surface beyond simple local transcript generation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The batch summarization script contains unrelated agent-session messaging functionality that forwards runtime status, titles, URLs, and failure details to an external openclaw session. In this skill context, transcripts may come from private or restricted YouTube videos, so emitting metadata and error text outside the local processing path increases confidentiality risk and creates an unexpected data-exfiltration channel.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes support for private/restricted videos via browser cookies but does not warn that this requires access to authenticated browser session data. In a skill context, encouraging cookie use without clear privacy and credential-handling guidance can lead users to expose account sessions, especially if they do not understand how cookie extraction works or what data may be accessible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The private-video example shows `--cookies-from-browser chrome` as a normal usage path without any caution about reading authenticated browser data. Because this is copy-paste-ready documentation, users may invoke it without understanding that browser cookies can grant access to their logged-in YouTube/Google session and should be treated as secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises support for private/restricted videos via cookies but gives no explicit warning that cookie files and browser-extracted cookies can contain active authentication material. In this context, that omission is risky because users may expose session credentials or authorize access to private content without understanding the sensitivity of the data being handled.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The example command using `--cookies-from-browser chrome` directly instructs access to browser-stored authentication data without an adjacent warning or consent step. Because browser cookies can unlock private YouTube content and potentially other linked session state, normalizing this action without caution materially increases credential-exposure risk.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The template instructs the agent to return raw transcript and summary file paths directly to the user, which can disclose local filesystem structure, usernames, workspace layouts, mount points, or other environment details. While this is not direct code execution, it creates unnecessary information exposure that can aid follow-on attacks or leak sensitive operational context, especially when processing private or internal video content.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends the full normalized transcript, including metadata such as title and source URL and potentially sensitive private-video content, to an LLM gateway subprocess without any explicit consent, warning, or data-minimization controls in the code path. In this skill's context, support for private/restricted videos and cookie-based access increases the privacy risk because users may process non-public content and not realize it is being forwarded to another service layer.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script supports passing a cookies file or extracting cookies directly from a browser profile to access private/restricted YouTube content, but it does not present an explicit warning, consent gate, or output disclosure when these sensitive authentication sources are used. In an agent/skill context, this increases the chance that a user or higher-level automation will unknowingly authorize use of live browser credentials, which can expose private account data or broaden access beyond intended scope.

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
```bash
python3 scripts/run_youtube_workflow.py "https://www.youtube.com/watch?v=VIDEO_ID" \
  --cookies-from-browser chrome
```

### Batch / queue mode
Confidence
97% confidence
Finding
cookies-from-browser chrome

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.