YouTube Transcript Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: fetch YouTube subtitles, clean them, print them, and save a local transcript file.

Install only if you are comfortable using yt-dlp to access YouTube and saving transcript text on disk. Avoid transcribing sensitive videos in synced or shared folders, and provide an explicit output path when you want control over where the transcript is stored.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The usage text does not clearly warn users that transcript content is saved to a local file by default, which can create unintended persistence of potentially sensitive video-derived text on disk. While not an active exploit by itself, this omission can lead to accidental data exposure on shared systems or in synced directories because users may assume output is only printed to stdout.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal