ClawHub
Back to skill

Security audit

YouTube Channel Compare

Security checks across malware telemetry and agentic risk

Overview

This appears to be a YouTube channel comparison skill with disclosed manual install steps, but users should review the remote script before running the curl commands.

Before installing, read the SKILL.md and compare_channels.py from the source repository, prefer a pinned commit or verified hash instead of downloading from main, and only run the curl commands if you trust the publisher and are comfortable adding persistent instructions to your agent environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs users to run shell commands that download files from GitHub and install them into the agent skills directory, but it declares no permissions to reflect its actual shell and file-write behavior. This mismatch weakens transparency and policy enforcement, making it easier for a user or platform to underestimate the skill's ability to modify the local environment.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# macOS / Linux
mkdir -p ~/.agents/skills/youtube-channel-compare/scripts
curl -o ~/.agents/skills/youtube-channel-compare/SKILL.md \
  https://raw.githubusercontent.com/mcbaivn/openclaw-skills-mcbai/main/skills/youtube/youtube-channel-compare/SKILL.md
curl -o ~/.agents/skills/youtube-channel-compare/scripts/compare_channels.py \
Confidence
78% confidence
Finding
mkdir -p ~/.agents/skills/youtube-channel-compare/scripts curl -o ~/.agents/skills/youtube-channel-compare/SKILL.md \ https://raw.githubusercontent.com/mcbaivn/openclaw-skills-mcbai/main/skills/yout

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal