ClawHub

youtube-data

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed YouTube-data integration, but its setup guide gives the agent broad authority to create accounts, handle OTPs and tokens, and persist API keys without clear safeguards.

Install only if you are comfortable letting the agent use TranscriptAPI on your behalf and potentially store a TranscriptAPI key persistently. Prefer creating the account yourself, providing the key through a secure secret store, confirming exactly where it is saved, and avoiding sensitive or private YouTube URLs or search terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This guide authorizes the agent to create and manage a third-party TranscriptAPI account and persist its credential, which is outside the stated YouTube-data retrieval scope. That scope mismatch is dangerous because it expands the skill from content retrieval into identity, authentication, and secret-management operations, creating unnecessary opportunity for credential abuse or unauthorized account provisioning.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file instructs the agent to perform full signup and OTP verification on the user's behalf, including handling email-based verification codes and bearer tokens. This grants the skill unjustified authority over an external account lifecycle, enabling account creation and authenticated actions unrelated to the manifest's narrowly described purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document tells the agent to determine how to persistently store TRANSCRIPT_API_KEY across sessions and non-interactive shells. For a YouTube-data skill, this is an unnecessary secret-management capability that increases blast radius if the environment is shared, compromised, or later used by unrelated workflows.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger text is unusually expansive: it activates not only on explicit YouTube URLs but also on generic creator-name, topic-research, and implicitly inferred requests. That can cause the agent to invoke this skill on broad research tasks and route user queries to a third-party API unnecessarily, increasing the chance of unintended external data sharing, wasted credits, and incorrect tool selection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send requests containing user-supplied video URLs, search queries, channel identifiers, and an API credential to TranscriptAPI.com, but it does not disclose that user data will leave the local agent context and be processed by a third party. In a research/transcript skill, this omission is more significant because users may paste sensitive unpublished, private, or identifying query terms assuming the agent is handling them directly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide solicits a sensitive API key and directs the agent to retain it without clearly informing the user about persistence, reuse across future sessions, or the privacy/security implications. Lack of informed consent around long-term secret storage can lead users to disclose credentials they did not intend to entrust to the agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions require writing raw authentication responses containing access tokens and API keys to temporary files, but provide no safeguards on file permissions, location, lifecycle, or exposure to other processes. Even temporary files can leak secrets through world-readable temp directories, backups, crash artifacts, or later inspection if cleanup fails.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill directs the agent to solicit both an API key and a one-time verification code from the user, then use those secrets to configure ongoing access. Collecting authentication material directly in chat and persisting it increases exposure to transcript logging, accidental disclosure, and misuse beyond the immediate request.

Ssd 3

Medium
Confidence
97% confidence
Finding
The final storage instructions explicitly require the recovered API key to remain available in future sessions, including non-interactive shells. Persistent cross-session credential availability materially increases the chance of unintended reuse, lateral exposure, and compromise, especially because this capability is not justified by the skill's declared purpose.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal