YouTube Playlist Item

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward YouTube playlist management skill, but it can change or delete playlist items and uses sensitive OAuth credentials.

Install this only if you want an agent to manage your YouTube playlists. Keep client_secret.json and youtube.token.json private, store them outside shared repositories when possible, avoid pasting raw secrets into logs or shell history, and verify playlist/item IDs before update or delete commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup guide instructs users to save OAuth client credentials and a cached access token to predictable local files but does not warn that these files are sensitive secrets that must not be committed, shared, or left with broad filesystem permissions. That omission can lead to credential leakage, allowing unauthorized access to the user's YouTube account or API project if the files are exposed through source control, logs, backups, or multi-user systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal