Youmind Youtube Transcript

Security checks across malware telemetry and agentic risk

Overview

This transcript skill mostly matches its stated purpose, but it needs Review because it grants broad YouMind shell access and may send/save video data under broad triggers.

Install only if you trust YouMind and its npm CLI. Use it for explicit YouTube transcript requests, avoid private or sensitive videos unless you are comfortable storing them in your YouMind account, keep API keys in environment variables, and review any command beyond the documented install, board lookup, createMaterialByUrl, getMaterial, and transcript-file workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Broad triggers like 'watch video', 'watch youtube', 'summarize video', and similar generic phrases can cause accidental invocation on ordinary conversations. That can lead to unintended transmission of user-supplied URLs and metadata to YouMind, unexpected file generation, and unanticipated use of API-backed actions on third-party content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill prominently advertises transcript extraction but does not clearly warn users that video URLs, transcript data, and metadata are sent to YouMind's service and saved to a YouMind board. This lack of disclosure can cause users to share private or sensitive video material without informed consent, increasing privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal