YouTube Content Manager Pro

Security checks across malware telemetry and agentic risk

Overview

This looks like a real YouTube content tool, but its billing behavior, external AI provider, and embedded service keys are not disclosed clearly enough for automatic trust.

Review carefully before installing. Confirm the real SkillPay pricing and whether payment is prepaid, per-use, or lifetime; avoid entering confidential content plans or business metrics until the publisher documents what is sent to SiliconFlow and SkillPay; and treat the embedded API keys and debug server configuration as issues the publisher should fix before broad use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 73% confidence
Finding: The skill advertises external payment verification and requires an OpenAI API key, which implies network access, yet no permissions are declared. Missing or incomplete permission disclosure is a security issue because it prevents users and platforms from accurately assessing what the skill can access and transmit, especially when prompts, API keys, or payment-related metadata may leave the local environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The documented purpose is content generation, but the analyzed behavior also includes billing enforcement, session-based payment verification, and SQLite storage of user-generated content and publishing records. This mismatch is dangerous because users may disclose content plans, account-related information, or payment context without understanding that the skill also performs monetization control and persistent data storage beyond the stated primary function.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The statement 'Local data storage, 100% safe' is misleading and overclaims security, especially because the skill explicitly requires external OpenAI API usage. Absolute safety claims can cause users to trust the tool with sensitive unpublished content, prompts, or business plans even though data may be transmitted off-device and no evidence is provided for the security assertion.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The billing behavior is inconsistent with the advertised pricing: the payment-link flow requests amount 8 while per-use charging sends amount 0. This can mislead users into paying materially more than disclosed or create opaque billing behavior, which is especially risky because charging is triggered automatically in a before_request hook.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Hardcoded API secrets for both billing and the external AI provider are embedded directly in source code. If the code is leaked, reused, or logged, attackers can abuse these credentials to make fraudulent billing requests, consume paid API quota, or impersonate the service.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: User-provided content is transmitted to a third-party AI API without any visible disclosure, consent flow, or data-handling notice. This creates privacy and compliance risk because users may submit sensitive business ideas, content plans, or unpublished scripts without realizing they are leaving the local app boundary.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The application initiates external billing calls and payment-link generation without an obvious in-app warning or explicit user confirmation. Because the payment check runs automatically before requests, users may be unexpectedly charged or redirected into a billing flow without clear consent.

Ssd 1

Medium

Confidence: 88% confidence
Finding: User-controlled topic text is interpolated directly into the LLM prompt, allowing prompt injection that can alter model behavior, break expected JSON formatting, or cause policy bypass within the generation flow. In this app, the result is bounded to content generation rather than system command execution, but it can still produce manipulated outputs, malformed responses, or unintended disclosure to the external model.

Ssd 1

Medium

Confidence: 87% confidence
Finding: User-supplied niche text is inserted verbatim into the topic-generation prompt, enabling semantic prompt injection that can redirect the model away from intended behavior or cause it to emit invalid JSON. Because the app relies on the LLM response for downstream processing and storage, malformed or adversarial outputs can degrade reliability and potentially store abusive content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal