Youtube Serp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed YouTube research client that sends user queries to AIsa using a required AISA_API_KEY and shows no hidden local access, persistence, or destructive behavior.

Install only if you trust AIsa with your AISA_API_KEY and YouTube research queries. Use a scoped or revocable key if available, avoid passing unrelated sensitive data in search terms, and rotate the key if you suspect exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares access to an API key and invokes a Python client for an external AIsa-backed service, which implies network use and environment-variable access, but it does not explicitly declare permissions for those capabilities. This is dangerous because consumers and policy engines may underestimate the skill's runtime privileges, reducing transparency and making it easier for sensitive data access or outbound requests to occur without clear review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal