youtube-manager

Security checks across malware telemetry and agentic risk

Overview

This YouTube automation skill is not clearly malicious, but it needs review because its upload helper appears to report a fake successful upload and its account-credential handling is under-explained.

Review before installing. Use a dedicated YouTube test account first, do not rely on the upload helper until it proves a real API upload occurred, and store OAuth client secrets and refresh tokens only in protected secret storage. Require explicit confirmation before any upload, report delivery, notification, or visibility-changing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises capabilities that inherently require network access and likely environment-based credential handling, yet it declares no permissions or equivalent trust boundaries. This creates a transparency and governance gap: users and host systems may invoke a skill that can reach external APIs or use secrets without explicit disclosure, increasing the chance of unintended data access or exfiltration.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The function is presented as performing a YouTube upload but only checks inputs and returns a fabricated success object with a hard-coded video ID. In an automation skill, this can mislead downstream agents or users into believing a publication action occurred, causing operational integrity failures, false reporting, and skipped error handling for a real upload path.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The docstring explicitly states the function uploads to YouTube, while the implementation constructs a mock success response instead. This mismatch is dangerous in a channel-management skill because agents may trigger follow-on actions such as reporting, notifications, or compliance workflows based on a nonexistent upload.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description uses broad trigger phrases such as general YouTube data, reports, uploads, and end-to-end workflow automation, which can cause the skill to be selected for loosely related requests outside a narrowly intended scope. Over-broad invocation increases the chance the skill is run with account-linked actions or data access when the user only wanted informational help, creating unnecessary exposure and possible unintended side effects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The markdown promotes automated uploads, reporting, and regular updates but does not clearly warn that these actions may access account data, publish content, transmit analytics externally, or trigger notifications. In a YouTube management context, these are high-consequence operations tied to user accounts and potentially sensitive performance data, so missing consent and privacy warnings makes accidental or overbroad automation more dangerous.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide explicitly documents sensitive OAuth environment variables including a client secret and refresh token, but provides no warning about secure storage, logging, version control exposure, or token rotation. In a skill meant for end-to-end YouTube automation, this can normalize unsafe secret handling and increase the chance that operators paste long-lived credentials into insecure files, prompts, or shared environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal