Dataify Youtube Comment By Id

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify helper for submitting YouTube comment collection tasks, with a routing caution but no evidence of hidden, destructive, or deceptive behavior.

Install this only if you intend to submit Dataify YouTube comment collection jobs. Review the parameters before allowing submission, and save DATAIFY_API_TOKEN only if you are comfortable with future runs using that Dataify credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger description is broad enough to activate on generic requests about task_id, status, token configuration, or troubleshooting, even when the user may not be asking to run this specific Dataify workflow. Over-broad activation can cause unintended handling of credentials or submission actions in the wrong conversational context.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill enables implicit invocation while its activation scope is broad and keyword-heavy, which can cause the agent to trigger this external-action skill for loosely related user requests. Because the skill submits Dataify tasks and may use configured API credentials, ambiguous auto-triggering can lead to unintended third-party requests, data disclosure, or user actions being taken without sufficiently explicit intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal