yt

Security checks across malware telemetry and agentic risk

Overview

The skill’s YouTube lookup function is coherent, but its setup guide gives the agent broad and sensitive control over account signup, OTP handling, token extraction, and persistent credential storage.

Install only if you are comfortable with TranscriptAPI receiving your YouTube queries and with a persistent local API key. Prefer creating the account yourself, using a dedicated key in a platform-managed secret store, and avoiding any flow where the agent handles OTPs or works around redaction controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This document instructs a YouTube-focused skill to create third-party TranscriptAPI accounts, handle OTP verification, obtain API credentials, and persist them locally. That behavior is outside the declared scope of the skill and materially expands the agent's authority into credential acquisition and secret management, which creates an opportunity for unauthorized account creation, secret collection, and misuse.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill tells the agent to determine how to persist an environment variable across sessions and non-interactive shells, even before confirming necessity or obtaining informed consent. For a YouTube lookup/summarization skill, instructing persistent secret installation is unjustified and dangerous because it modifies the host environment and creates durable access beyond the immediate task.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger description is very broad ('even if YouTube is not mentioned explicitly'), which can cause the skill to activate for many ordinary requests and route user content to this skill unexpectedly. In this skill's context, over-activation is more dangerous because it can cause external network calls to a third-party service using user-supplied queries, links, handles, or IDs without a clear, narrow relevance check.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documentation describes external API usage but does not clearly warn at the user-facing trigger/description level that requests, search terms, video URLs, handles, and related inputs are sent to TranscriptAPI.com. In context, this is risky because a broadly-triggered media lookup skill may exfiltrate user-provided content to a third party without users realizing their prompts and identifiers leave the local agent environment.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The guidance is overly broad because it directs the agent to inspect the local platform and choose any persistence mechanism that works in the current environment. In context, that ambiguity is risky: it encourages invasive environment discovery and arbitrary configuration changes without bounded behavior, which increases the attack surface and makes harmful actions more likely.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The document directs the agent to store a sensitive API key persistently and ensure it is available in future sessions, but provides no requirement to warn the user about secret storage, shell/config modification, or long-term exposure. This is dangerous because users may unknowingly authorize durable credential installation on their machine or agent environment.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly asks the user to paste an API key and later an OTP, then routes those secrets into a flow designed to store them for future use. Soliciting and handling both a secret key and one-time verification code is highly sensitive, and in this context it serves a non-YouTube third-party integration unrelated to the declared skill scope.

Ssd 3

High

Confidence: 100% confidence
Finding: These instructions tell the agent to save raw authentication responses to a temporary file and then extract the access token from that file specifically to avoid platform redaction. That is an explicit bypass of protective secret-handling controls, enabling the model or agent workflow to access bearer tokens that the platform intended to conceal.

Ssd 3

High

Confidence: 100% confidence
Finding: The verify flow repeats the same redaction-bypass pattern for the final API key, instructing the agent to read the key from a raw response file rather than allowing safeguards to hide it. This directly facilitates credential harvesting and persistence, turning a transient verification step into long-term secret capture.

Ssd 3

High

Confidence: 100% confidence
Finding: The FAQ institutionalizes the redaction workaround by telling agents that if secrets appear redacted, they should write raw HTTP responses to temp files first. Because this is framed as recommended operating guidance, it demonstrates deliberate intent to defeat platform protections and materially increases the likelihood of secret exfiltration and unauthorized reuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal