Security audit

Youtube Kol Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill transparently automates YouTube creator/contact scraping, which has privacy and compliance risks but no hidden exfiltration, destructive behavior, or deceptive instructions in the artifact.

Install only if you have a legitimate reason to collect creator contact data. Use it on publicly available information, respect YouTube and linked-site terms, avoid spam or profiling, and consider running it in a separate browser profile because browser-act operates in a browser context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill is explicitly designed to collect creators' contact emails and scrape linked external sites, which involves privacy-sensitive personal data collection. While the data appears intended to be publicly exposed, the absence of any user-facing warning, consent guardrail, purpose limitation, or rate/terms-of-service guidance increases the risk of misuse for spam, profiling, or non-compliant data harvesting.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: SKILL.md:85