Back to skill

Security audit

YouTube Daily Digest

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it packages real-looking credentials and relies on local OpenClaw secrets, so it should be reviewed before installation.

Install only after removing scripts/config.json or confirming it contains no usable secrets, and verify the script will use your own OpenClaw and Feishu configuration. Treat the cron setup as opt-in unattended processing: it will repeatedly fetch YouTube data, send transcript excerpts to the configured model gateway, and deliver summaries to Feishu.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill expands its capability by spawning an external downloader tool to fetch subtitle artifacts, which is broader than the stated digest-only behavior and increases local attack surface. In practice this means execution now depends on whatever yt-dlp binary is present in PATH, creating supply-chain and environment-trust risk on the host.

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
The script reads local OpenClaw identity files to infer a Feishu recipient without explicit user selection. That broadens access to local identity data beyond the minimum necessary and can cause messages to be sent to an unintended account if stale or unexpected identity files are present.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases include generic terms such as 'daily digest' and '订阅更新', which can match normal conversation without a clear boundary indicating intentional activation. Broad activation increases the chance of accidental execution, potentially causing unintended network access, transcript retrieval, AI processing, and message delivery to Feishu recipients.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that the skill fetches YouTube transcripts, generates AI summaries, and pushes results to Feishu, but it does not present a clear user-facing warning that transcript content and derived summaries are transmitted to external AI and messaging services. Even if the source videos are public, the processing pipeline may expose user-selected subscriptions, preferences, recipient identifiers, and generated content to third parties without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs the skill to automatically read the OpenClaw gateway token from ~/.openclaw/openclaw.json. That token is a local secret used to authenticate to a model gateway, and auto-discovering/using it without an explicit consent prompt or warning normalizes secret access and can lead users to run code that silently consumes credentials they did not intend to expose to the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This section describes sending video transcript content to external services: first to the OpenClaw/Claude gateway for summarization, and later to Feishu for delivery, but does not warn users that third parties will receive derived or source content. Even if the data is 'just transcripts,' it may include private, copyrighted, or sensitive material, and users should be informed before content leaves the local environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically reads Feishu app credentials and gateway tokens from local OpenClaw configuration and uses them for outbound API calls without any user-facing disclosure or consent step. While this is not direct exfiltration of the secrets themselves to arbitrary destinations, it is a real overreach/privacy issue because the skill silently consumes privileged local credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Transcript text is forwarded to an external LLM gateway for summarization, and the resulting content is then sent to Feishu, with no explicit warning that third-party network transmission occurs. Even though YouTube transcripts are often public, the behavior still creates a data-transfer and privacy concern that users may not expect from a 'zero-config' local skill.

Ssd 4

Medium
Confidence
88% confidence
Finding
Untrusted transcript content is inserted directly into the LLM prompt, so spoken or captioned text can contain prompt-injection instructions that steer the summarizer away from its intended task. In this script the model output is later forwarded into Feishu cards, so malicious transcript text could cause misleading, manipulative, or policy-bypassing summaries to be delivered to the user.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.