Back to skill

Security audit

Onnex YouTube

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real YouTube utility, but it includes under-disclosed Google account access and saved OAuth tokens, so it needs review before installation.

Review before installing. Use this only if you are comfortable granting YouTube account access beyond public video lookup, including subscriptions, playlists, liked videos, and channel data. Prefer a version that uses narrower read-only scopes, clearly documents token storage, and explains how to delete local tokens and revoke Google access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions in metadata while its documented and detected behavior includes network access and shell/subprocess execution. This undermines informed consent and sandboxing decisions, because users and policy engines cannot accurately assess or restrict the skill before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description emphasizes transcripts, downloads, and exploration, but the code reportedly also performs OAuth authentication, accesses account-specific YouTube data, and stores/manages tokens for multiple accounts. That mismatch is dangerous because it can cause users to authorize broader data access than expected, increasing the risk of privacy violations, token misuse, and overprivileged operation.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The description emphasizes transcripts, downloads, and exploration, but the code also exposes authenticated account-scoped operations such as subscriptions, playlists, liked videos, and `mine=True` channel access. That mismatch can cause users to authorize broader YouTube access than they reasonably expect, increasing privacy and consent risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
OAuth credentials are serialized to local disk in a token pickle without any explicit warning to the user about persistent credential storage. In shared or weakly secured environments, stored tokens may be copied or reused by other local processes or users, leading to unauthorized access to the user's YouTube account data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Account-scoped commands transmit personal YouTube data such as subscriptions, playlists, and liked videos to Google APIs under OAuth, but the script does not present any privacy notice or scope-specific warning when users invoke these commands. In context, this is more concerning because the skill is marketed mainly as a research/download tool, so users may not anticipate the breadth of account access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.