Back to skill
Skillv0.1.0
VirusTotal security
Youtube Transcribe Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:43 AM
- Hash
- d1ddffd155094ddedafacb2f1dd55538f5b0d29c2b77f99375f0d4b64e63bd04
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: youtube-transcribe-skill Version: 0.1.0 The skill is classified as suspicious due to the use of powerful capabilities that, while potentially functional for its stated purpose, introduce significant security risks. Specifically, the `SKILL.md` instructions allow `yt-dlp` to access browser cookies via `--cookies-from-browser`, and critically, grant the agent the ability to execute arbitrary JavaScript in the user's browser context using `mcp__plugin_claude-code-settings_chrome__evaluate_script`. While the provided JavaScript is benign, this capability represents a browser-side Remote Code Execution (RCE) vulnerability, making the skill highly susceptible to prompt injection attacks for data exfiltration or other malicious browser actions.
- External report
- View on VirusTotal