captions

Security checks across malware telemetry and agentic risk

Overview

The skill does fetch YouTube captions as advertised, but its setup guide asks the agent to handle account signup, OTPs, API keys, temporary secret files, and persistent credential storage in ways users should review carefully.

Install only if you are comfortable with YouTube video references being sent to TranscriptAPI and with the agent helping create or configure a TranscriptAPI account. Prefer creating the account yourself, store the API key in a trusted secret manager rather than a shell/profile file, avoid pasting keys or OTPs into ordinary chat when a secure secret-entry path exists, and revoke the key if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill’s stated purpose is fetching YouTube captions, but this document instructs the agent to create third-party accounts, perform OTP-based authentication, and persist API credentials for future sessions. That materially expands the skill’s authority from read-only content retrieval into account creation and long-term secret management, which increases the blast radius if the skill is abused or misconfigured.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The guide explicitly directs the agent to persistently store a third-party API key so it remains available across future sessions and non-interactive shells. For a captions-fetching skill, long-lived secret storage is unnecessary and dangerous because it creates enduring access beyond the immediate user request and can expose the key through other tools, sessions, or logs.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation guidance is broad enough that an agent may call this skill for many YouTube-related requests even when the user did not intend third-party transcript retrieval. That can cause unnecessary disclosure of video URLs/IDs and produce actions beyond user expectations, though the skill itself is limited to transcript fetching rather than direct account or system access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends YouTube URLs or IDs and related request context to TranscriptAPI, but the user-facing description does not clearly warn that this data is shared with an external third party. This creates a privacy and consent issue, especially when users provide private, sensitive, or unlisted video references and do not realize the request leaves the agent environment.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instructions tell the agent to save a sensitive API key persistently but provide no warning about the risks of storing credentials on disk or in agent-managed configuration. Users may not realize the key will survive across sessions, be readable by future processes, or require secure storage controls, leading to unintended disclosure or misuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The signup flow instructs the agent to collect the user’s email address and transmit it to a third-party service without a clear privacy disclosure in the skill description or flow. This is risky because it causes external data sharing outside the apparent scope of a simple captions skill and may violate user expectations or platform privacy requirements.

Ssd 3

High

Confidence: 98% confidence
Finding: These instructions tell the agent to solicit an API key directly from the user or initiate an OTP-based auth flow to obtain one, then continue toward persistent storage. Handling user secrets and one-time verification codes inside a general-purpose skill greatly increases the chance of credential interception, replay, accidental logging, or unauthorized reuse.

Ssd 3

High

Confidence: 97% confidence
Finding: The document explicitly teaches the agent to preserve sensitive auth tokens in temporary files and reuse them to complete authentication while avoiding output redaction. Even if framed as operational guidance, this is dangerous because it normalizes local token materialization, increases exposure via filesystem access or cleanup failures, and works around safety controls designed to prevent credential leakage.

Ssd 3

High

Confidence: 99% confidence
Finding: The verification flow has the agent extract an API key from a response file and then store it for future sessions. In the context of a captions skill, this creates durable secret custody and long-term third-party access that is disproportionate to the task, making compromise or unintended reuse significantly more damaging.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal