Back to skill

Security audit

yt

Security checks across malware telemetry and agentic risk

Overview

This YouTube lookup skill is mostly functional for its stated purpose, but its setup guide gives the agent sensitive account, OTP, token, and persistent credential-handling duties that users should review carefully.

Install only if you are comfortable with TranscriptAPI.com receiving your YouTube-related inputs and with a persistent local TRANSCRIPT_API_KEY. Prefer creating the TranscriptAPI account yourself, adding the key through a trusted secret store, and avoiding any setup path where the agent handles OTPs or works around token redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This document is materially out of scope for a YouTube skill: it directs the agent to obtain, create, and persist TranscriptAPI credentials and accounts. That scope mismatch is dangerous because it expands the skill from content retrieval into credential handling and third-party account operations, increasing the chance of secret capture, misuse, and unauthorized persistence in the agent environment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The instructions explicitly tell the agent to persistently store a third-party API key so it survives across sessions and shells, which creates a durable secret foothold on the local agent environment. Persistent storage increases blast radius if the environment is later compromised, and the guidance does not establish strong safeguards, minimal retention, or a trusted secret-management path.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to create third-party accounts and complete OTP-based verification on the user's behalf, including handling email addresses, bearer tokens, and API-key issuance. This normalizes the agent acting as an authentication proxy, which is risky because it places sensitive registration and verification flows inside an untrusted automation context and can enable unauthorized account creation or takeover-like behavior if abused.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation text is very broad: it triggers on pasted links, IDs, handles, summaries, channel lookups, topic search, and even requests where YouTube is only implicitly relevant. In an agent environment, this can cause over-invocation of the skill and unnecessary transmission of user-provided content to a third-party service, increasing privacy and data-minimization risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to send video URLs, search queries, handles, and related metadata to TranscriptAPI.com using an API key, but it does not disclose this third-party data transfer or advise caution with sensitive user inputs. Because the skill is user-invocable and broadly scoped, ordinary user content may be forwarded off-platform without clear notice or consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions describe long-term local storage of a sensitive API key without a clear warning about persistence, exposure risk, who can access the stored secret, or how to remove it later. Even if the user intends to use the service, insufficient disclosure undermines informed consent and can lead to accidental credential retention in shared or less-trusted environments.

Ssd 3

High
Confidence
99% confidence
Finding
The document instructs the agent to ask the user to paste an API key directly into the conversation and then set it up persistently, which is a direct solicitation and retention of secret material. Collecting secrets in-band through chat increases the risk of logging, replay, downstream tool exposure, and accidental disclosure beyond the immediate task.

Ssd 3

High
Confidence
98% confidence
Finding
The narrative tells the agent to collect a 6-digit email-delivered verification code from the user and use it to obtain an API key, effectively making the agent an intermediary in a multi-factor or account-verification flow. OTPs are authentication material, and routing them through the agent creates phishing-like behavior, expands exposure of the code, and weakens the separation between user identity proof and automation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.