Back to skill

Security audit

youtube-data

Security checks across malware telemetry and agentic risk

Overview

This YouTube data skill is mostly a real third-party API integration, but its setup asks the agent to handle account signup, OTPs, API keys, redaction workarounds, and persistent environment changes.

Install only if you are comfortable using TranscriptAPI for YouTube requests and letting the agent handle a TranscriptAPI key. Prefer creating the account yourself, entering the key through a dedicated secret manager, confirming exactly where it will be stored, and avoiding sensitive or private URLs or search terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is for a YouTube data skill, but it contains end-to-end instructions for obtaining and storing a third-party TranscriptAPI credential. That materially expands the skill’s capabilities beyond its declared scope and normalizes secret-handling and account-setup behavior unrelated to simple YouTube data retrieval, increasing the risk of unauthorized credential collection and environment modification.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions tell the agent to persistently store a third-party API key so it survives future sessions and non-interactive shells. For a YouTube data skill, that is an unjustified persistence and secret-retention capability that can lead to long-term credential exposure, unintended reuse, and silent modification of local or agent configuration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The document directs the agent to register TranscriptAPI accounts and complete OTP-based verification on the user’s behalf, which is outside the stated YouTube data retrieval purpose. This gives the skill an unnecessary identity/provisioning role and conditions users to delegate account creation and verification flows, including handling login tokens and one-time codes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger text is unusually expansive: it activates on YouTube URLs, creator names, topic research, and even requests where YouTube is 'not mentioned explicitly.' That can cause the agent to route many ordinary research tasks to this skill, increasing unintended third-party data disclosure and unnecessary use of an external API key-backed service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to send user queries, video URLs, channel identifiers, and playlist data to TranscriptAPI.com using a bearer API key, but it does not clearly disclose this as third-party transmission or advise caution with sensitive inputs. In this context, the broad auto-triggering behavior makes the omission more dangerous because users may not realize their research terms or pasted links are being sent off-platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions require persistent secret storage and possible configuration changes, but they do not require a clear user-facing warning that local config, shell profiles, or agent secret settings may be modified. That omission reduces transparency and can cause users to unknowingly authorize durable security-sensitive changes to their environment.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly asks the user to paste an API key directly into chat and frames the agent as responsible for setting it up for future use. Collecting secrets in conversational content and preparing them for reuse across sessions increases the chance of exposure through logs, transcripts, prompt context, or downstream tool misuse.

Ssd 3

High
Confidence
99% confidence
Finding
This section directs the agent to persist and reuse the recovered API key across future sessions and shells, creating durable credential retention. In the context of a YouTube data skill, this is especially dangerous because the secret is unrelated to the declared functionality and may be silently propagated into broader runtime contexts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.