Dataify Youtube Transcript By Id

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify helper that submits YouTube transcript collection jobs, with token use and external API calls aligned to that purpose.

Install only if you intend to use Dataify for YouTube transcript jobs. Be aware that it may run for broadly worded YouTube transcript requests, and task submissions will use your Dataify API TOKEN and send the chosen video IDs and subtitle options to Dataify.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger description is extremely broad, covering generic terms like collect, scrape, fetch, extract, troubleshooting, task_id/status, and multilingual subtitle-related phrases. Overbroad routing can cause this skill to activate for ordinary user requests and then prompt for or use credentials and submit data to an external service unexpectedly.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill enables implicit invocation while the metadata describes broad trigger conditions such as collecting or scraping YouTube transcripts, including multilingual phrasing. Without narrow activation constraints in the manifest, the platform may invoke this skill unexpectedly from loosely related user requests, causing unintended external task submission and potential data disclosure or unauthorized API usage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal