Back to skill

Security audit

YouTube Intelligence Extractor

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does the advertised YouTube transcript analysis, but it also tells the agent to automatically save reports and modify the skill’s own instructions after use.

Install only if you are comfortable with automatic markdown report files and can prevent or review any attempted edits to SKILL.md. Avoid private videos or sensitive transcripts unless third-party transcript fetching and persistent local report storage are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill expands beyond transcript extraction into automatic persistence of generated content without user opt-in. Unprompted file creation changes the agent from a read/process tool into one that writes data to storage, which can create privacy, retention, and workspace side effects the user did not request.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill instructs the agent to modify its own SKILL.md after runs, which is self-modifying behavior unrelated to the user task. Self-modification is dangerous because it enables persistence of unexpected behavior across sessions, policy drift, and potential prompt injection becoming embedded into future executions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Automatic self-update capability is unjustified for a transcript extraction skill and creates a persistent modification channel with no approval boundary. Any bad output, adversarial transcript content, or mistaken inference about 'improvements' could be written back into the skill, compounding risk over time.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation presents file output as constrained to an output directory, but elsewhere authorizes modifying SKILL.md itself, creating an inconsistent and broader write scope than implied. This mismatch can mislead operators about where the agent may write and weakens trust boundaries around filesystem access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs automatic saving without warning or consent, which can store user-derived content unexpectedly. Even if the content is not inherently sensitive, silent persistence can violate user expectations, retention policies, and least-surprise principles.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs writes to a concrete filesystem path without a safety warning, approval step, or discussion of data handling. Hardcoded output paths increase the chance of unintended persistence and normalize autonomous file writes as part of routine processing.

Missing User Warnings

High
Confidence
99% confidence
Finding
Instructing self-modification of SKILL.md without warning is a severe form of silent persistence. It allows the agent to alter its own operating instructions without user awareness, which can embed errors, unsafe practices, or prompt-injected content into future runs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.