YouTube Shorts 자동 생성

The skill is classified as suspicious due to its broad requested permissions and the instruction to fetch and execute unverified external code. `SKILL.md` explicitly requests `Bash`, `Read`, `Write`, and `exec` tools, granting extensive control. Crucially, it instructs the agent to `git clone https://github.com/kangjjang/youtube-shorts-skill.git` and then execute `bash scripts/setup.sh` from the cloned repository. This constitutes a significant supply chain vulnerability, as the content of the external repository and its setup script are not provided for analysis and could contain malicious payloads. Additionally, `pip install -r requirements.txt` introduces further supply chain risk via Python packages. The skill also requires `GEMINI_API_KEY`, which, combined with the broad permissions, could be vulnerable to exfiltration by the external code.