Back to skill
Skillv1.3.2
VirusTotal security
Youtube Summary · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:34 AM
- Hash
- 8d438b13a4122282e3de3f2ef1f68eb3dbfbf1b40bf23a8ec8d457534f0433d7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yt-summary Version: 1.3.2 The skill is classified as suspicious primarily due to its explicit support for 'custom prompts' which allows direct prompt injection against the underlying Large Language Model (LLM). While this is an advertised feature for customizing summaries, it represents a significant risk where a user could instruct the LLM to generate harmful content or attempt to bypass its safety mechanisms. Additionally, the `SKILL.md` file instructs the agent to execute shell commands with user-controlled input (`YOUTUBE_URL_OR_ID`). Although the `scripts/extract.py` and `scripts/utils.py` files implement robust sanitization (via `extract_video_id`) to mitigate shell injection risks, the pattern of passing unsanitized user input directly into a shell command is a design that could be vulnerable if the sanitization were ever weakened or bypassed. There is no evidence of intentional malicious behavior such as data exfiltration or backdoors.
- External report
- View on VirusTotal