Publora Youtube

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only guide for uploading and scheduling YouTube videos through Publora, with expected external upload behavior and no hidden execution components.

Install this only if you want an agent to help publish or schedule YouTube videos through Publora. Keep the Publora API key private, verify the video file, channel ID, title or description, scheduled time, and privacy setting, and avoid uploading sensitive or unreleased media unless publication is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes concrete examples that transmit video content and metadata to external services, including a presigned upload URL, but it does not clearly warn users that media and descriptions will leave their environment and be stored/processed by third parties. In a skill specifically meant to publish content externally, this is expected behavior, but the missing disclosure increases the risk of accidental exposure of sensitive or unpublished media.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document states that YouTube privacy defaults to public, but it does not prominently warn that omitted privacy settings may result in publicly visible publication. This creates a realistic risk of unintended disclosure of unreleased or sensitive video content if users rely on defaults.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal