ClawHub

youtube-comment-miner

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it fetches and locally analyzes YouTube comments, with privacy and dependency hygiene risks users should manage.

Install in a virtual environment, pin reviewed dependency versions, and collect only comments you have a legitimate reason to analyze. The tool saves public comment text plus author metadata locally, so delete outputs when no longer needed and avoid using scraped comments as instructions for your agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly collects and stores YouTube comments with author identifiers and timestamps, but provides no privacy, retention, consent, or data-handling guidance. Even if the data is publicly visible, aggregating and saving it locally increases privacy risk, enables profiling, and may create compliance issues depending on jurisdiction and use.

Unpinned Dependencies

Low
Category
Supply Chain
Content
yt-dlp>=2024.1.0
youtube-search>=2.1.0
python-dotenv>=1.0.0
Confidence
92% confidence
Finding
yt-dlp>=2024.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
yt-dlp>=2024.1.0
youtube-search>=2.1.0
python-dotenv>=1.0.0
Confidence
89% confidence
Finding
youtube-search>=2.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
yt-dlp>=2024.1.0
youtube-search>=2.1.0
python-dotenv>=1.0.0
Confidence
78% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: yt-dlp — 7 advisory(ies): CVE-2023-46121 (yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection); GHSA-3v33-3wmw-3785 (yt-dlp has dependency on potentially malicious third-party code in Douyu extract); CVE-2023-40581 ( yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`) +4 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
yt-dlp

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal