Back to skill

Security audit

subtitles

Security checks across malware telemetry and agentic risk

Overview

The subtitle feature is plausible, but the setup gives the agent broad authority to create an account, handle email codes and API keys, and persist secrets.

Install only if you trust TranscriptAPI and are comfortable with an agent handling account setup and long-lived API credentials. Prefer creating the account yourself, storing the key in a scoped secret manager instead of shell profiles or broad environment files, and avoid submitting private or sensitive YouTube links unless you accept sharing them with the provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The document instructs the agent to perform account creation, OTP verification, and long-term credential storage, which goes well beyond the stated subtitle-fetching purpose of the skill. That expands the skill into credential handling and account management, increasing the chance of secret exposure, unauthorized account actions, and abuse of user trust.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instructions tell the agent to determine how to persist an environment variable across sessions and non-interactive shells, which is unnecessary for a narrow subtitle retrieval capability and encourages broad secret propagation on the host. Persisting API keys in general environment configuration increases the blast radius if the machine, shell history, config files, or other processes are compromised.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill metadata says it is not for account management, but the documentation explicitly directs the agent to register accounts, handle email-based OTP verification, and recover API keys. This mismatch can bypass user expectations and review controls by hiding sensitive identity and credential workflows inside a seemingly simple subtitles skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends user-supplied YouTube URLs/IDs and can optionally request video metadata from a third-party service, but it does not disclose the privacy implications of sharing that data externally. This can expose viewing interests, research topics, or other sensitive context tied to a requested video, especially when users may assume subtitle extraction is handled locally or by YouTube directly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions collect the user's email, request an OTP from their inbox, and later persist the resulting API key without clear user-facing notice about privacy, retention, and credential-handling risks. This can normalize sharing sensitive authentication factors with the agent and may expose personal data or enable account takeover if mishandled.

Ssd 3

High
Confidence
99% confidence
Finding
The guide tells the agent to ask the user to paste an API key and, if they do not have one, to collect an email OTP during signup. Directing an agent to solicit and handle secrets and authentication codes across sessions materially increases the risk of credential theft, replay, and accidental retention in logs or memory.

Ssd 3

High
Confidence
99% confidence
Finding
The document explicitly requires persistent storage of recovered secret values so they survive across future sessions and shells. Long-lived, widely accessible storage of API keys increases the chance of exfiltration by other tools, users, processes, or later prompts unrelated to the subtitles function.

Ssd 3

High
Confidence
100% confidence
Finding
The guide instructs the agent to save raw HTTP responses to temporary files and extract tokens from those files specifically to avoid runtime redaction of access tokens and API keys. Deliberately bypassing redaction and secret-protection controls is highly suspicious because it enables recovery, reuse, and persistence of sensitive credentials that the environment is trying to withhold.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.