Back to skill

Security audit

Bootleg Link Mcp

Security checks across malware telemetry and agentic risk

Overview

This music-downloader skill is mostly purpose-aligned, but it starts persistent local services and handles account/session material with broader network and destructive controls than users are clearly warned about.

Install only if you are comfortable giving this skill local account/session handling for music services and running persistent helper services. Keep the POT server bound to localhost or firewalled, avoid disabling TLS verification, do not use shared machines for exported cookies, review logs for token/proxy leakage, and treat clear_database as destructive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The server exposes unauthenticated administrative and debug-style endpoints such as /invalidate_caches, /invalidate_it, and /minter_cache. Because the service is also network-reachable, a remote party can trigger state changes or enumerate internal cache state, which expands attack surface beyond the stated token-provider role and can enable denial of service, operational disruption, or information disclosure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The service binds to :: and falls back to 0.0.0.0, exposing it on all network interfaces instead of limiting access to localhost. Since it accepts requests that generate tokens and includes unauthenticated maintenance endpoints, remote reachability materially increases the chance of abuse, including unauthorized token generation, cache manipulation, and service abuse from other hosts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The server listens on all interfaces (`::` with fallback to `0.0.0.0`), making the token provider network-accessible rather than local-only. In the context of a download-focused MCP skill, exposing an auxiliary HTTP service broadens the attack surface and enables unintended remote access to internal token-generation functionality.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The application exposes `/get_pot`, `/invalidate_caches`, `/invalidate_it`, `/minter_cache`, and status endpoints without authentication while listening on all interfaces. A remote party can trigger token-generation workflows, invalidate caches, and enumerate internal cache state, causing abuse of the service, disruption, and possible leakage of operational details.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code fetches JavaScript from YouTube's challenge endpoint and executes it with `new Function(interpreterJavascript)()`. Even if intended to solve BotGuard challenges, this is still runtime execution of remote code inside the server process, which creates a strong code-execution primitive if the upstream content, transport, or trust boundary is compromised. In this skill context, a downloader/token-provider does need to interact with YouTube, but executing arbitrary fetched code on the host is still unusually dangerous and significantly raises risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
`disableTlsVerification` is exposed as a configurable option and is later used to set `rejectUnauthorized: !disableTlsVerification`, allowing outbound HTTPS connections without certificate validation. This enables man-in-the-middle interception of traffic, including challenge scripts, tokens, and proxy-authenticated requests; combined with remote JavaScript execution, it materially increases compromise risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The /auth endpoint discloses whether local YouTube authentication cookies exist, the cookie count, and the cookie file path to any process that can reach the loopback service. That leaks sensitive environment and account-state metadata unnecessary for core download orchestration, which can aid local reconnaissance or targeting by other malware or untrusted local users.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
This MCP server is not a passive proxy: it silently starts and manages a local background daemon using systemd or detached subprocesses. In the skill context, that increases trust and attack surface because merely loading or invoking the server can create persistent local processes without explicit consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents a flow that exports authenticated Google/YouTube cookies for use by yt-dlp, but provides no warning about the sensitivity of those credentials, storage scope, or reuse risk. Exported cookies can enable account session hijacking or unauthorized access if leaked through logs, disk files, other tools, or shared environments, and this skill’s automation context increases the chance of over-broad downstream use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes login and authentication flows using Playwright and cookie-based auth without clearly warning users that browser cookies or credential-derived session state may be stored or manipulated locally. That creates privacy and account-security risk, especially for services like Google and Beatport, because users may not realize sensitive authentication artifacts are being handled by an automation tool.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill exposes destructive operations such as clearing completed tasks and wiping the entire database, but the description does not warn that these actions may be irreversible. Users could unintentionally delete task history, metadata, and persisted state, causing data loss and operational disruption.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly instructs users to run a local HTTP token-generation server and discusses publishing its port, but it does not clearly warn that exposing the service beyond localhost can allow other hosts to request or abuse token generation. In this skill's context, the server exists to help bypass YouTube bot checks, so exposing it increases privacy, abuse, and unauthorized-use risk even if the software is intended for local use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends sensitive request metadata to an HTTP service on 127.0.0.1, including proxy settings, source address, TLS-verification preference, attestation challenge, and InnerTube context, without any authentication, encryption, or visible consent mechanism in this file. Although the endpoint is local, any untrusted process bound to that port or a misconfigured base_url could receive and misuse this information, enabling privacy leakage, request hijacking, or token abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents a `disable_tls_verification` option, which enables users or integrators to turn off certificate validation for network requests. Disabling TLS verification makes man-in-the-middle interception and spoofing of upstream services significantly easier, and the documentation does not warn about these risks or constrain use to debugging-only scenarios.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The README documents support for sending requests through an arbitrary proxy but does not warn that request metadata, tokens, and other traffic may transit third-party infrastructure. In this skill context, the server handles PO token generation and related request context, so proxying can expose sensitive request details or enable traffic inspection if operators use untrusted proxies.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cache invalidation endpoints perform state-changing actions without any authentication, confirmation, or CSRF-resistant design. In a remotely reachable service, an attacker can repeatedly clear caches or invalidate internal state, causing disruption, degraded performance, or forced regeneration of token/session material.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code logs sensitive security artifacts in plaintext, including the generated integrity token metadata and the minted PO token. These tokens may grant access or enable replay/abuse within their validity window, and logs are commonly accessible to operators, support tooling, or centralized log platforms far beyond the original trust boundary.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code fetches JavaScript from a remote URL in the challenge object and executes it with `new Function(...)` in the current process context. Any compromise of the upstream source, network path, proxy, or challenge URL handling would result in arbitrary code execution inside the server, which is a severe trust-boundary violation.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The undici proxy log prints the full proxy URL, unlike the redacted logging used elsewhere in the file. If the proxy URL contains embedded credentials, they will be exposed in logs, potentially leading to proxy compromise, lateral movement, or reuse of the same credentials in other systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cache invalidation endpoints perform administrative state changes with no authentication, CSRF protection, or warning, and they are reachable over the network because the server binds to all interfaces. An attacker can repeatedly clear caches or invalidate internal state, degrading service reliability and potentially forcing expensive regeneration behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`getFetch` logs the raw proxy URL with `logger.log(`[undici] Proxy: ${proxyUrl}`)`, unlike `asDispatcher`, which masks the password. If the proxy URL contains embedded credentials, those secrets will be written to logs and may be exposed to operators, support systems, or centralized log collectors.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The generated `poToken` is written directly to logs. Tokens are sensitive session/authentication artifacts; logging them can enable replay or misuse by anyone with log access and unnecessarily broadens the exposure surface.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The daemon exposes cookie/authentication metadata over an unauthenticated HTTP endpoint on localhost without any warning or access control. In a local MCP/agent ecosystem where multiple tools may run under the same user, this increases the chance of privacy leakage and makes local account reconnaissance easier.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The server exposes tools that collect account credentials and forwards them to a local daemon, but this file provides no warning, consent flow, or transport/security disclosure. In an MCP skill, users may not realize passwords are being handed to an auxiliary process, creating elevated risk of credential misuse, logging exposure, or compromise if the daemon is unsafe.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code auto-starts a background daemon during import/startup with no interactive warning or confirmation. In this skill context, silent process creation is more dangerous because users expect an MCP server, not hidden service management and persistence behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_resource_identifier

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
bgutil-ytdlp-pot-provider/server/build/session_manager.js:228

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
bgutil-ytdlp-pot-provider/server/src/session_manager.ts:311

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bgutil-ytdlp-pot-provider/server/build/session_manager.js:124

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bgutil-ytdlp-pot-provider/server/src/session_manager.ts:172

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical
Code
suspicious.exposed_resource_identifier
Location
README.md:63