Back to skill

Security audit

transcript

Security checks across malware telemetry and agentic risk

Overview

This transcript skill has a legitimate purpose, but its setup flow gives the agent broad control over account creation, OTP handling, API-key storage, and persistent environment changes.

Review before installing. Use this only if you are comfortable sending YouTube video identifiers and related request data to TranscriptAPI, and prefer creating the account and storing the API key yourself through a trusted secret manager. Avoid letting the agent handle OTPs or persist secrets broadly unless you understand where the key will be stored and how to revoke it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document expands the transcript skill beyond its declared purpose by instructing the agent to handle account provisioning and long-term secret management. This increases the skill’s authority and data-handling scope, creating unnecessary exposure to credential collection, persistence, and misuse that are not required for fetching transcripts.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions tell the agent to determine how to persist an environment variable across future sessions and non-interactive shells, which is effectively a persistent runtime modification. Persisting secrets at the skill-document level creates a cross-session trust and scope problem, especially if the environment mechanism is broader than this single skill or shared with other contexts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill authorizes the agent to register end-user accounts, request email-based OTPs, and complete verification on the user’s behalf even though that is unrelated to the narrow task of obtaining transcripts. This gives the skill a broader identity and credential-handling role, increasing phishing-like behavior and the chance of account misuse or accidental capture of sensitive authentication data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill metadata explicitly says it is not for account management, but the document instructs the agent to create accounts and verify them via OTP. This contradiction is especially dangerous because it bypasses the user’s and platform’s expectations about what the skill is allowed to do, creating a clear scope violation around authentication and account operations.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description is quite broad and explicitly says to use the skill even when not explicitly requested, which can cause the agent to invoke a third-party networked capability for many general video-related tasks without clear user intent. That increases the chance of unnecessary external data disclosure and surprising behavior, especially when users only wanted local reasoning or a brief answer rather than an outbound API call.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send video URLs/IDs and request metadata, including a User-Agent, to TranscriptAPI.com but does not clearly warn the user that their input will be transmitted to an external third party. This creates a privacy and transparency issue because users may unknowingly cause external disclosure of research interests, watched content, or sensitive links embedded in prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs the user to paste an API key directly into chat without warning about privacy, retention, or safer alternatives. In a skill that already handles account setup and secret storage, this is more dangerous because it normalizes sharing long-lived credentials through a conversational channel where logging or unintended exposure may occur.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.