youtube

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-directed YouTube research helper, but users should understand that transcripts and setup traffic may go to third-party services.

Install only if you are comfortable using a SkillBoss API key and running the listed third-party tooling. Treat transcript analysis as a remote upload to SkillBoss, redact sensitive material first, and avoid committing API keys or storing them anywhere broader than needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The security note states that all network calls are routed via SkillBoss API Hub, but the documented setup and usage also call GitHub, YouTube, and potentially package registries directly. This misleading trust statement can cause users to underestimate data exposure and supply-chain/network risk when running the documented commands.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The example reads a local transcript file and submits its full contents to a remote API without a prominent privacy warning at the point of use. Users may unknowingly transmit copyrighted, sensitive, or private transcript data off-host, especially if they treat the example as routine analysis guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal