Security audit

YouTube Research Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: fetches YouTube captions with yt-dlp, stores them locally for transcript-based summaries and Q&A, and does not show hidden exfiltration or destructive behavior.

Install only if you are comfortable with yt-dlp contacting YouTube for caption files and with transcript text, YouTube URLs, and active-video history being stored locally in the skill data folder. Use explicit YouTube requests to avoid accidental activation, and clear the skill data folder if video history or transcript content should not remain on the machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script persistently stores fetched transcripts, source URLs, and session state under the user's home directory without any consent flow, retention notice, or minimization. Transcripts and watch history can reveal sensitive interests or private/unlisted content, so silent local retention creates a real privacy and data-exposure issue if the machine or workspace is shared or later compromised.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The `session` and `list` commands expose stored transcript inventory and active/history state that are not reflected in the described user-facing behavior. While this is not code execution, it expands the data surface and makes previously retained browsing/transcript metadata easier to enumerate, which increases privacy risk.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrase "summarize video" is broad enough to match ordinary requests unrelated to YouTube or this specific workflow. Overbroad activation can cause the skill to run unexpectedly, leading to unintended network calls, shell execution, and local session/file access in contexts where the user did not mean to invoke it.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The command trigger "/summary" is highly generic and may collide with other skills or normal assistant command conventions. In this skill, unintended activation is more concerning because it can initiate file/session operations and potentially network-backed transcript fetching tied to prior state.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Fetching subtitles necessarily sends the provided URL to an external tool/service and then stores transcript/session data locally, but the script provides no user-facing warning or consent about either transmission or storage. In a research assistant context this can capture sensitive viewing activity and content metadata without the user's awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal