ClawHub

YouTube Content

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-built for YouTube transcription, but its default workflow uses Chrome browser cookies for yt-dlp without an explicit consent gate.

Review before installing. This skill is not showing deception or exfiltration in the inspected artifacts, but only use the cookie-based yt-dlp path when you understand that it reads Chrome-stored YouTube session cookies. Prefer the included transcript API path or unauthenticated yt-dlp first, and treat browser-cookie access as an explicit fallback for videos that truly require login.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented workflow includes extracting Chrome cookies and discovering the system proxy configuration, which are sensitive system/browser interactions beyond simple transcript retrieval. In context, these may be operationally useful for yt-dlp, but they also expand access into account/session data and local network configuration without clear minimization or consent boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Using `--cookies-from-browser chrome` accesses browser-stored session cookies, which can expose account-linked authentication material and other private browsing data to the execution environment. Even if intended only to reach restricted YouTube content, doing so without an explicit warning and consent step creates a substantial privacy and account-security risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal