Back to skill

Security audit

Youtube Playlist Handler

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real YouTube playlist tool, but it needs review because it can access broader YouTube account data than its description clearly discloses.

Install only if you trust this skill with broad YouTube account access. Before using it, understand that it stores a reusable local OAuth token, can modify playlists, can remove playlist items, and includes undocumented commands that print liked videos and subscriptions; delete token.pickle or revoke the Google OAuth grant when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises OAuth-driven YouTube playlist management and therefore clearly performs networked actions against a third-party account, but it does not declare corresponding permissions. Missing permission disclosure weakens reviewability and informed consent, making it easier for a user or orchestrator to invoke account-affecting actions without understanding the external access involved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
A description-behavior mismatch is especially risky in an OAuth-enabled skill because hidden capabilities such as reading liked videos or subscriptions expand access beyond the stated playlist-management purpose. This breaks least-privilege expectations and can expose sensitive account data or enable covert data collection under the guise of a narrower function.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as playlist management, but the code also exposes access to liked videos and subscriptions, which are unrelated user data domains. This creates scope creep and unnecessary access to private account information, increasing privacy risk and the chance an agent uses broader capabilities than the user expected.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is described as a YouTube playlist manager, but it also exposes functions to read liked videos and subscriptions, which expands data access beyond the stated purpose. This creates a scope mismatch that can surprise users and facilitate unnecessary collection of personal account data under a broader OAuth scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading liked videos and subscriptions is unrelated to the core playlist-management use case and gives the skill access to account-profile and preference data that users may not expect to share. In an agent setting, this kind of over-collection increases privacy risk and makes abuse or accidental disclosure more damaging.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The top-level usage text documents only auth, create, add, bulk-create, and list, but the code also implements remove, videos, liked, and subscriptions. Omitting destructive and non-playlist capabilities from the advertised interface reduces transparency and can mislead reviewers or users about what the tool actually does.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown mentions browser auth and token caching, but it does not explicitly warn users about privacy implications, local credential persistence, or the sensitivity of the cached OAuth token. In a skill that modifies a personal YouTube account, unclear disclosure increases the chance of accidental credential exposure or use on shared systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code deletes a playlist item immediately once it finds a matching entry, with no confirmation, dry-run mode, or warning. In an agent context, this increases the risk of accidental destructive actions from malformed prompts, wrong playlist IDs, or user misunderstanding.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The OAuth token is serialized and written to disk in token.pickle without any warning, secure-storage controls, or permission hardening. Local tokens can often be reused by other local processes or users to access the connected account, making credential theft or accidental exposure more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.