Back to skill

Security audit

youtube-api

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate YouTube data helper, but it needs Review because its setup asks an agent to handle and persist API credentials, email verification codes, and secret-redaction workarounds.

Install only if you trust TranscriptAPI and are comfortable with an agent sending YouTube-related queries, URLs, handles, and playlist IDs to that service. Prefer creating the account yourself, providing a dedicated key through a platform secret manager, confirming where the key will be stored, and rotating or revoking it when you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file directs the agent to create third-party accounts, collect user email/OTP, and persistently store an API secret, which is materially broader than a YouTube lookup skill's stated read-oriented purpose. This creates an unnecessary credential-handling and account-management pathway that could expose secrets or normalize risky agent behavior without clear justification in the skill context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The guide instructs the agent to persist a credential across sessions and verify that it is available to future non-interactive shells, giving the skill durable access beyond the immediate user request. For a read-only YouTube assistance skill, this is an unjustified expansion of privilege and increases the chance of credential leakage, misuse, or unintended background use.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The skill description says it can be used without Google API quotas or OAuth setup, but the referenced file replaces that with another external account signup, OTP verification, and API key setup flow. This mismatch can mislead users and operators about the true trust and security requirements, making them more likely to disclose credentials or permit persistence they did not expect.

Vague Triggers

High
Confidence
93% confidence
Finding
The invocation text is unusually broad: it says to trigger not only on pasted YouTube links or explicit YouTube requests, but also on general topic research and on any request where YouTube content 'would help — even if not mentioned explicitly.' This can cause the agent to route ordinary research queries to this networked third-party skill without clear user intent, increasing the chance of unnecessary disclosure of user queries, creator names, handles, or URLs to TranscriptAPI.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents how to send requests and required headers, but it does not clearly warn that user-provided search terms, video URLs, channel handles, playlist IDs, and related metadata will be transmitted to TranscriptAPI over the internet. In a skill designed to trigger broadly, this omission reduces transparency and can lead to privacy and data-handling surprises for users who may not realize their requests are being sent to a third party.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell the agent to store the API key persistently in whatever local config or shell mechanism is available, but do not require an explicit warning or informed consent about writing a sensitive secret to disk/config files. That omission increases the risk that users unknowingly allow durable storage in insecure or overly broad locations.

Ssd 3

High
Confidence
98% confidence
Finding
The document instructs the agent to ask the user to paste an API key and then set it up for persistence across sessions. Collecting and retaining a user's secret directly in conversational flow expands exposure of the credential and is unnecessary for a simple content-retrieval skill unless strongly justified and tightly controlled.

Ssd 3

High
Confidence
97% confidence
Finding
The signup flow instructs the agent to act on the user's behalf for registration, receive an email OTP, and exchange it for an API key. This puts the agent in the middle of an authentication process and conditions users to share verification codes and derived credentials, which is a sensitive anti-pattern with significant account-security implications.

Ssd 3

High
Confidence
99% confidence
Finding
The storage section explicitly requires persistent retention of the recovered API key for future sessions and non-interactive shells. Persisting third-party credentials in broad environment/config locations increases blast radius if the host is compromised, the file is exposed, or other tools/processes inherit the variable.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.