Boring YouTube Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed YouTube publishing connector, but it can publish videos publicly through Boring using a credential-bearing MCP link.

Install only if you trust Boring with your YouTube channel publishing workflow. Keep the MCP Connector URL private, verify the target channel and all video metadata before publishing, and assume uploaded media and the resulting YouTube post may be public unless you have confirmed otherwise.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill states that uploads are public by default, but it does not require or clearly instruct the agent to warn the user and obtain confirmation immediately before publishing. In a publishing workflow, this can lead to accidental public disclosure of videos, thumbnails, captions, or sensitive metadata if the user assumed a draft/private upload.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal