Back to skill

Security audit

ytdlp-transcript — YouTube to Text via yt-dlp

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: fetch captions for a user-provided YouTube video and print cleaned transcript text.

Install yt-dlp only from a trusted source and make sure the yt-dlp found in your PATH is the one you intend to run. Using this skill contacts YouTube for the video you provide and briefly creates temporary caption files during processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
transcript.js:61