ClawHub

YouTube Music ULTRA

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent YouTube Music purpose, but its scripts build shell commands from user-controlled music queries and video IDs in a way that can execute unintended local commands.

Review before installing. Do not run the Node helpers with untrusted song queries, URLs, or video IDs until they replace shell-string execSync calls with argument-array execution and strict URL/video-ID validation. Use a dedicated browser profile, clear the /tmp caches if privacy matters, and require explicit confirmation for playlist, like, queue, and autoplay actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
75% confidence
Finding
The skill advertises browser automation and requires Node, but it does not declare permissions corresponding to shell-like or code-execution capabilities detected by analysis. Missing permission disclosure weakens sandboxing and informed consent, making it easier for a skill to invoke local tooling or supporting scripts without users understanding the trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose is YouTube Music playback control, but the detected behavior includes opening arbitrary YouTube/YouTube Music URLs or video IDs and using local cache files and benchmarking utilities. That expands the attack surface beyond expected media control into arbitrary navigation and local state manipulation, which is especially risky because the automated browser may be logged into a personal account.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The natural-language examples are broad enough that ordinary conversational phrases like 'pause the music' or 'skip this track' could trigger browser automation without strong user-intent confirmation. In an agent environment, ambiguous triggers can cause unintended actions, especially when the skill is auto-invoked from general chat or shared contexts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Claiming the skill is auto-discovered and can be driven by generic music-related commands without constraints increases the risk of overbroad activation. In a browser-automation skill, unintended invocation can manipulate a persistent logged-in YouTube Music session, affecting playback, account state, or user privacy expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The log explicitly describes automatic playback with 'no manual intervention needed' but provides no warning or consent mechanism. In a browser automation skill, this can cause unexpected media playback, audio leakage, or disruptive behavior in shared or sensitive environments, though it is not by itself a code-execution issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes browser automation for YouTube Music and account-affecting features like playlist and queue management, but it does not warn that actions may run in an authenticated browser profile and therefore change a user's real account state. This can lead to unintended playback, playlist edits, likes, subscriptions, or other persistent account actions if invoked by an agent or misunderstood by the user.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Documenting browser snapshots without a privacy warning is risky because snapshots can capture visible page content from an authenticated session, including account identity, recommendations, playlist names, or other sensitive UI data. In an automation context, users may not realize that a diagnostic or control step can expose on-screen information to logs, tools, or downstream processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill omits a clear warning that browser automation may access account-specific YouTube Music data and perform state-changing actions such as liking tracks, editing playlists, or using a signed-in session. In this context, that omission matters because the skill operates against a live browser profile and can act with the user's existing account privileges.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly promotes 'Atomic Play Actions' with 'Zero user interaction needed' but does not warn users that invoking playback commands can automatically drive the browser and start media. In a browser-automation skill, this omission is security-relevant because users may not realize commands can trigger immediate side effects in their active browser context, including unexpected media playback and navigation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file advertises predictive pre-loading, auto-play by default, and persistent caching across sessions without explaining their privacy and local-state implications. In this skill context, persistent query-to-ID mappings and background browser/media behavior can expose listening history, alter local state, and surprise users who do not expect cross-session retention or automatic queued playback.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The natural-language examples are broad and lack explicit activation boundaries, increasing the chance that ambient conversation or loosely matched user text could trigger browser automation unintentionally. In a skill that controls media playback and interacts with a live browser session, unintended triggering can cause privacy issues, disruptive actions, or command confusion across contexts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command string passed to execSync is built by concatenating untrusted parameter values into a shell command with only double-quote wrapping. An attacker-controlled value containing shell metacharacters such as command substitution can break out of the intended argument context and trigger arbitrary OS command execution under the current user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal