ClawHub

YouTube Content Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal YouTube/transcript analysis helper, with local report-writing and manual install risks users should review before use.

Before installing, read the downloaded SKILL.md and analyze_content.py, prefer a pinned commit or verified release instead of the mutable main branch, and delete generated reports if they contain private transcripts. Do not provide sensitive video transcripts unless local persistence is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes Python scripts, shell commands, network fetches, and writes files under the user's home directory, yet it declares no explicit permissions or trust boundaries. This creates a capability mismatch that can cause agents or users to execute file and shell operations without clear disclosure or policy gating.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script writes reports that embed raw transcript content to disk, potentially including sensitive or copyrighted material, without meaningful notice, consent flow, or data-handling controls. In this skill context, users may supply private subtitle/transcript files or URLs and not realize the content is being persisted locally in a reusable report.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# macOS / Linux
mkdir -p ~/.agents/skills/youtube-content-analyzer/scripts
curl -o ~/.agents/skills/youtube-content-analyzer/SKILL.md \
  https://raw.githubusercontent.com/mcbaivn/openclaw-skills-mcbai/main/skills/youtube/youtube-content-analyzer/SKILL.md
curl -o ~/.agents/skills/youtube-content-analyzer/scripts/analyze_content.py \
Confidence
91% confidence
Finding
mkdir -p ~/.agents/skills/youtube-content-analyzer/scripts curl -o ~/.agents/skills/youtube-content-analyzer/SKILL.md \ https://raw.githubusercontent.com/mcbaivn/openclaw-skills-mcbai/main/skills/yo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal