Back to skill

Security audit

TubeScribe

Security checks across malware telemetry and agentic risk

Overview

TubeScribe appears to be a legitimate YouTube summarizer, but it needs review because a YouTube URL can trigger background agent processing with network access, local file writes, and local tool execution without a clear confirmation step.

Install only if you are comfortable with YouTube links starting background processing that fetches public YouTube data, writes local files, invokes local tools, and may send transcript/comment text through your agent model environment. Review setup.py before accepting optional downloads, avoid private or sensitive videos, and consider requiring explicit confirmation before processing each URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Check if a Python package is installed in system Python."""
    import_name = import_name or package
    try:
        result = subprocess.run(
            [sys.executable, "-c", f"import {import_name}"],
            capture_output=True, timeout=10
        )
Confidence
96% confidence
Finding
result = subprocess.run( [sys.executable, "-c", f"import {import_name}"], capture_output=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 2. Check shared ML env
    if os.path.exists(ml_env_python):
        try:
            result = subprocess.run(
                [ml_env_python, "-c", "import torch, soundfile, numpy, huggingface_hub"],
                capture_output=True, timeout=10
            )
Confidence
85% confidence
Finding
result = subprocess.run( [ml_env_python, "-c", "import torch, soundfile, numpy, huggingface_hub"], capture_output=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
venv_python = os.path.join(kokoro_dir, ".venv", "bin", "python")
    if os.path.exists(venv_python):
        try:
            result = subprocess.run(
                [venv_python, "-c", "from kokoro import KPipeline"],
                capture_output=True, timeout=10, cwd=kokoro_dir
            )
Confidence
88% confidence
Finding
result = subprocess.run( [venv_python, "-c", "from kokoro import KPipeline"], capture_output=True, timeout=10, cwd=kokoro_dir )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
python_path, kokoro_dir = get_python_for_kokoro()
    if python_path and kokoro_dir:
        try:
            result = subprocess.run(
                [python_path, "-c", "from kokoro import KPipeline; print('ok')"],
                capture_output=True, timeout=10, cwd=kokoro_dir
            )
Confidence
88% confidence
Finding
result = subprocess.run( [python_path, "-c", "from kokoro import KPipeline; print('ok')"], capture_output=True, timeout=10, cwd=kokoro_dir )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(local_dir)
'''
    try:
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=15
        )
Confidence
90% confidence
Finding
result = subprocess.run( [mlx_python, "-c", code], capture_output=True, text=True, timeout=15 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(blend_path)
'''
    try:
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=30
        )
Confidence
90% confidence
Finding
result = subprocess.run( [mlx_python, "-c", code], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
print("OK")
'''
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=300
        )
Confidence
91% confidence
Finding
result = subprocess.run( [mlx_python, "-c", code], capture_output=True, text=True, timeout=300 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
run_kwargs = {"capture_output": True, "text": True, "timeout": 300}
        if os.path.exists(os.path.join(kokoro_dir, "kokoro", "__init__.py")):
            run_kwargs["cwd"] = kokoro_dir
        result = subprocess.run([kokoro_python, "-c", code], **run_kwargs)

        if result.returncode == 0 and os.path.exists(wav_path):
            if audio_format == "mp3":
Confidence
91% confidence
Finding
result = subprocess.run([kokoro_python, "-c", code], **run_kwargs)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill directs the agent to use shell commands, read and write files, access configuration in the home directory, and make network requests, yet it declares no permissions. That mismatch weakens user consent and policy enforcement because the runtime may expose materially broader capabilities than the metadata suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose says the skill summarizes/transcribes YouTube videos, but the body also includes queue management, comment harvesting, setup/install behavior, and arbitrary text-to-audio generation. This expands the operational scope beyond what a user would reasonably expect, increasing the chance of unintended network access, software changes, or misuse of the audio generation path.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims the spawned sub-agent has strict instructions not to install software, but later documentation states yt-dlp may be auto-installed. Contradictory safety claims are dangerous because operators may trust the safer statement while the implementation still downloads or installs code.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The workflow explicitly says to stop if a tool is missing, but later documentation says setup will automatically download yt-dlp. This inconsistency can cause an agent or user to believe execution is bounded when the skill may actually fetch external binaries, creating supply-chain and policy-bypass risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance is very broad: users only need to send a YouTube URL or ask for a summary/transcription, which can easily match ordinary conversation and trigger background processing automatically. In an agent setting, broad auto-activation increases the chance of unintended network access, external tool execution, and content processing from untrusted URLs without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance says to use the skill whenever a user sends a YouTube URL or asks to summarize/transcribe a YouTube video, which is broad enough to trigger on common conversational requests. Over-broad activation is risky here because it can immediately launch background processing with network, file, and shell side effects without a scoped confirmation step.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The workflow instructs the agent to spawn processing immediately for any YouTube URL and not block, but it does not constrain scope or require confirmation. In this skill context that is more dangerous because the spawned pipeline performs network access, document generation, audio creation, cleanup, and folder opening as side effects.

Unvalidated Output Injection

High
Category
Output Handling
Content
"""Check if a Python package is installed in system Python."""
    import_name = import_name or package
    try:
        result = subprocess.run(
            [sys.executable, "-c", f"import {import_name}"],
            capture_output=True, timeout=10
        )
Confidence
97% confidence
Finding
subprocess.run( [sys.executable, "-c", f"import {import_name}"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# 2. Check shared ML env
    if os.path.exists(ml_env_python):
        try:
            result = subprocess.run(
                [ml_env_python, "-c", "import torch, soundfile, numpy, huggingface_hub"],
                capture_output=True, timeout=10
            )
Confidence
86% confidence
Finding
subprocess.run( [ml_env_python, "-c", "import torch, soundfile, numpy, huggingface_hub"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
venv_python = os.path.join(kokoro_dir, ".venv", "bin", "python")
    if os.path.exists(venv_python):
        try:
            result = subprocess.run(
                [venv_python, "-c", "from kokoro import KPipeline"],
                capture_output=True, timeout=10, cwd=kokoro_dir
            )
Confidence
89% confidence
Finding
subprocess.run( [venv_python, "-c", "from kokoro import KPipeline"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# Normalize URL to standard format (fixes /live/, /shorts/, etc.)
    normalized_url = normalize_youtube_url(url)
    try:
        result = subprocess.run(
            ["summarize", normalized_url, "--youtube", "auto", "--extract-only", "--timestamps"],
            capture_output=True, text=True, timeout=120  # 2 min timeout for long videos
        )
Confidence
84% confidence
Finding
subprocess.run( ["summarize", normalized_url, "--youtube", "auto", "--extract-only", "--timestamps"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
print(local_dir)
'''
    try:
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=15
        )
Confidence
91% confidence
Finding
subprocess.run( [mlx_python, "-c", code], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
print(blend_path)
'''
    try:
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=30
        )
Confidence
91% confidence
Finding
subprocess.run( [mlx_python, "-c", code], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
)
print("OK")
'''
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=300
        )
Confidence
92% confidence
Finding
subprocess.run( [mlx_python, "-c", code], capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| Option | Default | Description |
|--------|---------|-------------|
| `processing.subagent_timeout` | `600` | Seconds for sub-agent (increase for long videos) |
| `processing.cleanup_temp_files` | `true` | Remove /tmp files after completion |

### Comment Options
| Option | Default | Description |
Confidence
72% confidence
Finding
Remove /tmp

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.