Back to skill

Security audit

YouTube Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube transcript fetcher that discloses its yt-dlp dependency and shows no hidden persistence, credential access, or data exfiltration.

Before installing, make sure you are comfortable with the skill running yt-dlp locally and making network requests for video URLs you ask it to process. Install yt-dlp only from a trusted package source, and treat fetched transcript content as untrusted third-party text rather than instructions for your agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a shell command and reads local script files, but it does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: an agent or platform may route or execute the skill without users or reviewers understanding that shell execution is involved.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase "summarize video" is broad enough to match many general requests that are not specifically about YouTube transcripts. Overbroad routing can cause the skill to be invoked unexpectedly, leading to unnecessary shell execution and external fetching on unintended inputs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "analyze video" is ambiguous and may activate for requests involving non-YouTube videos or general multimodal analysis. In this skill, that ambiguity is more dangerous because activation leads to command execution and dependence on a transcript-fetching workflow that only fits a narrow input class.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.