Youtube Audio Download

Security checks across malware telemetry and agentic risk

Overview

The skill describes a narrow YouTube audio downloader, but its tool entry points to an unpackaged absolute Python file, so the code that would actually run is outside the reviewed artifact.

Review before installing. Ask the publisher to include the Python downloader inside the package and use a package-relative entry path. If you still use it, inspect the external download_audio.py file first, provide cookies only when necessary, and treat cookies.txt as sensitive session data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Low

Confidence: 91% confidence
Finding: This manifest description states the skill's capability in general terms but provides no explicit trigger phrases, activation boundaries, or exclusion conditions. In a manifest file, that lack of specificity can make it unclear when the skill should be invoked versus when a general request about YouTube audio should not activate it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal