Youtube Master

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: fetch YouTube video details and optional transcripts using disclosed Google and Apify credentials.

Install only if you are comfortable letting the skill use your YouTube API key and, when you request transcripts, your Apify token. Prefer restricted API keys, watch Apify usage or billing for transcript requests, and note that the script currently expects credentials in the documented OpenClaw credentials file rather than reading the advertised environment variables.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly describes outbound calls to the YouTube Data API and optionally the Apify API, but the static finding indicates those network capabilities are not formally declared in permissions. Undeclared network access is a real security and governance issue because it prevents accurate policy enforcement, user awareness, and review of external data flows and secret usage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal