ClawHub

YouTube Transcript (yt-dlp captions)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its YouTube transcript purpose, but the bundle contains dormant third-party transcript-provider code despite promising not to contact third parties.

Review before installing if you rely on the guarantee that only YouTube is contacted. In current static flow it appears to use yt-dlp, YouTube/youtubei, optional user-provided cookies, and a local cache, but the publisher should remove or clearly disclose the dormant third-party provider code. Only provide cookies when necessary and treat the cache as transcript history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation declares no explicit permissions while describing behavior that uses shell execution, network access to YouTube, environment-variable secret input, and file reads/writes for cookies and SQLite caching. This mismatch can weaken user and platform consent boundaries by causing a networked, file-accessing skill to appear less privileged than it really is.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest describes extraction via existing YouTube captions using yt-dlp, but the code also contains an undocumented fallback that scrapes YouTube watch pages and calls the internal `youtubei/v1/get_transcript` API directly. This hidden network behavior increases data-handling and maintenance risk because operators may believe the skill only uses yt-dlp while it actually performs additional direct HTTP requests and may attach user cookies/auth headers.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal