ClawHub

youtube-playlist

Security checks across malware telemetry and agentic risk

Overview

This YouTube transcript skill is coherent, but it needs Review because it encourages agent-managed account creation and persistent API-key storage without clear user controls.

Install only if you are comfortable using TranscriptAPI and sending YouTube-related requests to that service. Prefer creating the account yourself, entering the API key through a secure secret mechanism, and avoiding shell-profile or long-term key storage unless you know how to revoke and remove it later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file instructs the agent to obtain, handle, and persist a third-party API credential and even create accounts on the user's behalf, which materially exceeds the declared YouTube-playlist scope. This creates an unjustified secret-handling and account-management capability that could expose user credentials, enable unauthorized service use, and normalize over-privileged behavior in a skill that should only browse playlist content.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
These instructions direct the agent to determine how to persist an environment variable across future sessions and non-interactive shells before any user-specific need is established. In the context of a playlist skill, this is dangerous because it teaches the agent to perform durable secret installation on the host, expanding impact from a single task to long-term credential presence and possible reuse by other processes or future sessions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill tells the agent to register a TranscriptAPI account, receive an email OTP workflow, and verify the account for the user, which is unrelated to playlist browsing and crosses into identity and account lifecycle operations. This broadens the agent's authority to act on behalf of the user with external services and creates risk of unwanted account creation, mishandling of verification tokens, and collection of sensitive authentication material outside the skill's stated purpose.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly suggests 'Or let the agent create one for you' when obtaining a TranscriptAPI key, but it does not warn the user about the risks of delegating third-party account creation or credential handling to the agent. This can lead users to unknowingly authorize the agent to create external accounts, receive verification messages, or handle API keys in ways that increase the chance of credential exposure, misuse, or loss of account control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions require persistent storage of an `sk_` API key and verification that it is available in future sessions, but they do not require informed consent, retention limits, or a warning about the risks of long-term credential storage. In a skill whose purpose is playlist handling, this mismatch makes the behavior more dangerous because users would not reasonably expect durable secret installation as part of the task.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal