Youtube Music Player

Security checks across malware telemetry and agentic risk

Overview

This YouTube Music skill does what it claims, but it handles live account cookies in an unsafe chat-based setup flow and stores sensitive session material locally.

Install only if you are comfortable giving the skill access to your YouTube Music session. Do not paste Google or YouTube cookies into chat unless you understand they can act like login credentials. Protect or remove .ytmusic/auth.json and .ytmusic/playwright-profile when done, and review any destructive action such as deleting playlists, uploads, or history before allowing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (13)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly documents that authentication headers, browser session state, logs, and a persistent Playwright profile are stored locally, but it does not warn that these artifacts may contain reusable account credentials or sensitive session material. In the context of a YouTube Music skill, those files could enable account takeover, unauthorized playback/account actions, or leakage of personal listening/account data if the directory is exposed, synced, or committed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The auth setup instructions tell users to paste raw cookie strings or supply exported cookie files without any warning that these are highly sensitive bearer-style credentials. In a skill designed to control a personal media account, mishandling these inputs could let an attacker reuse session cookies to access the user's account and associated personal data, especially if copied into shell history, logs, screenshots, or shared transcripts.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs the agent to request raw Cookie headers or cookie exports without clearly warning that these are highly sensitive authentication secrets that may grant broad account access. In a chat-based workflow, this normalizes unsafe credential handling and increases the chance of credential theft, replay, accidental logging, or reuse beyond the stated purpose.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the operator to collect and pass raw YouTube Music authentication cookies or a cookies export file to `auth setup`, which are highly sensitive bearer-style credentials. Anyone with access to those values may be able to impersonate the user account, so documenting this flow without explicit security warnings, minimization, storage/retention guidance, or safer alternatives creates a real credential-handling risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill saves derived authentication headers and the full Cookie header to a local auth.json file, but the user-facing setup flow does not clearly warn that sensitive session credentials are being persisted on disk. These values can often be reused to access the user's YouTube/Google account context, so silent local persistence increases the risk of credential theft from disk, backups, logs, or other local users/processes.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: When importing a browser cookie export, the code persists reconstructed session material into auth.json without prominently warning that highly sensitive browser session data is being stored. Cookie exports may contain active account session secrets, and persisting them can expose the account if the file is accessed by another process, user, or backup system.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The daemon writes its bearer token, host, and port to a predictable state file under the skill data directory. Any local process or user that can read that file can issue authenticated playback commands or shut down the daemon, and because the browser uses a persistent profile, this may expose control over the user's signed-in YouTube Music session.

Ssd 3

High

Confidence: 99% confidence
Finding: Requesting a full browser Cookie header in chat is a direct solicitation of bearer-style authentication material. Anyone with access to the conversation, logs, telemetry, or downstream tooling could potentially hijack the user's Google/YouTube session, making this especially dangerous given the skill's account access and modification features.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Asking for a cookies JSON export path still encourages collection and use of browser credential material, and the file likely contains session tokens with broad account access. Even if only the path is sent in chat, the workflow is designed to ingest sensitive credentials from disk into the skill, creating risks around local file exposure, insecure retention, and unauthorized account use.

Ssd 3

High

Confidence: 98% confidence
Finding: The agent prompt explicitly instructs the user to send a full browser Cookie header back to the agent. That is a direct request for live session secrets, and in an agent environment those secrets may transit through chat logs, telemetry, prompt history, or third-party infrastructure, enabling account takeover or cross-service abuse.

Ssd 3

High

Confidence: 98% confidence
Finding: The reply template walks the user through extracting the Cookie request header from DevTools and sending the full secret back to the agent. This converts a browser session credential into chat content, which is especially dangerous because conversational systems often retain, process, or expose messages beyond the immediate runtime.

Ssd 3

High

Confidence: 97% confidence
Finding: The step-by-step setup guidance tells the user to copy a Cookie string from browser traffic and send it to the agent, again soliciting a reusable secret. In the context of an AI skill, this is more dangerous than a normal CLI because the agent platform may store prompts/responses or expose them to operators and tools.

Ssd 3

Medium

Confidence: 83% confidence
Finding: Requesting a cookies JSON export path is less severe than requesting the cookie contents in chat, but it still normalizes browser-cookie extraction as an auth mechanism and may lead to handling highly sensitive session exports. In many agent setups, a supplied file path may trigger subsequent reading/uploading of a file containing live account cookies.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal