Youtube video scorer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it calls WorthClip's disclosed API to score YouTube videos, retrieve a feed, and check usage.

Install this only if you trust WorthClip with your WorthClip API key and the YouTube video IDs or feed filters you ask it to process. Use a revocable API key, and keep profile or account-changing actions such as channel tracking or persona/goals updates explicitly user-directed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to send authenticated requests to a third-party API using the user's API key, but it does not clearly warn that user-supplied video identifiers, channel URLs, persona, goals, and related query data will be transmitted off-platform to WorthClip's backend. In an agent context, lack of explicit disclosure can cause unintended external sharing of user data and preferences, especially because the skill supports persona/goals endpoints that may contain sensitive profiling information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal