Youtube Transcription Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate for transcribing user-selected YouTube videos, with the main caution that media is processed by VLM Run.

Install only if you are comfortable downloading YouTube media locally and sending it to VLM Run for transcription. Avoid private, regulated, non-consensual, or copyrighted material unless you have permission and accept the provider's data-handling terms; protect the VLMRUN_API_KEY stored in .env or .env.local.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to download YouTube content locally and then submit the resulting video file to vlmrun, an external transcription service, but it does not clearly warn that the video/audio content and likely associated metadata will be transmitted off-system. This creates a real privacy and data-handling risk, especially if users process sensitive, private, or copyrighted material without understanding that third-party processing occurs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal