youtube-full

Security checks across malware telemetry and agentic risk

Overview

The skill's YouTube transcript features are coherent, but its setup flow asks agents to create accounts, handle OTPs and API keys, persist credentials, and work around output redaction, which needs human review before installation.

Install only if you are comfortable with an agent using TranscriptAPI, sending YouTube-related queries and your signup email to that service, consuming API credits, and storing a long-lived API key for future sessions. Prefer creating the TranscriptAPI account yourself, placing the key in a platform-managed secret store, and telling the agent to ask before using this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill instructs the agent to create third-party TranscriptAPI accounts, handle OTP-based verification, and persist API secrets, which is materially outside the declared YouTube research/transcript retrieval scope. This expands the agent into credential handling and account lifecycle operations, increasing the risk of unauthorized external actions, secret exposure, and misuse of user identity.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The document directs the agent to determine persistent environment configuration and store `TRANSCRIPT_API_KEY` so it survives across sessions and shells. Giving a general-purpose skill the ability to persist user API credentials creates long-lived secret retention beyond immediate task needs and increases the blast radius if the environment, logs, or downstream tools are compromised.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill authorizes the agent to perform full account registration on the user's behalf, including submitting the user's email to a third-party service and completing OTP verification to obtain an API key. This enables the agent to act as the user in an authentication flow and collect credentials that should ordinarily remain under the user's direct control.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description is extremely broad and explicitly says to use the skill whenever YouTube 'is or could be relevant — even if not mentioned,' which can cause over-activation on ordinary research requests. This creates a real security and privacy risk because the agent may unnecessarily route user queries and URLs to a third-party service, increasing external data exposure and unintended credentialed network use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup text says the agent may create a TranscriptAPI account for the user without any user-facing warning about sending data to a third party, handling email/credentials, or obtaining explicit consent. That is dangerous because it normalizes delegated account creation and secret management for an external service, which can lead to privacy violations, unauthorized sign-ups, and poor credential-handling practices.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide asks the user to paste an API key and instructs the agent to store it persistently, but it does not clearly emphasize that the key is a sensitive secret or warn against insecure handling. This can normalize oversharing secrets in chat and encourage storage practices that expose the credential to logs, prompts, shell history, or unintended future access.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The account creation flow tells the agent to collect the user's email and send it to TranscriptAPI without a clear user-facing privacy notice or consent language beyond operational instructions. In a skill nominally about YouTube-related research, this creates an unnecessary third-party data disclosure risk that users may not reasonably expect.

Ssd 3

High

Confidence: 98% confidence
Finding: The instructions direct the agent to collect a user secret (`sk_...` API key) and persist it across sessions. Persistent secret collection is especially dangerous in this skill context because the manifest describes a YouTube-oriented capability, not a secure credential management function, so the behavior is unexpected and broadens access to long-lived credentials.

Ssd 3

High

Confidence: 97% confidence
Finding: The document instructs the agent to receive a user's email OTP and use it to complete verification and derive the user's API key. Handling one-time authentication codes allows the agent to participate directly in identity verification and credential issuance, which is a sensitive auth operation that should remain under the user's control.

Ssd 3

High

Confidence: 99% confidence
Finding: The guide explicitly teaches the agent to avoid normal output redaction by saving raw auth responses to temporary files and extracting `access_token` and `api_key` values from those files. Bypassing safety/redaction controls to capture secrets is a strong indicator of adversarial design and materially increases the risk of secret exfiltration and stealthy credential handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal