Back to skill

Security audit

Youtube Instant Article

Security checks across malware telemetry and agentic risk

Overview

This skill does its advertised article-publishing job, but it can turn ordinary YouTube summary requests into third-party uploads and public Telegraph publishing while broadly loading local environment files.

Install only if you intend this to be a publish-to-Telegraph tool, not a private YouTube summarizer. Use dedicated least-privilege Telegraph and OpenAI credentials, avoid sourcing broad .env files, and assume video-derived text and images may be sent to third-party services and become publicly accessible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill presents itself as a YouTube summarization/article tool, but it also sources local `.env` files and sends data to additional third parties including catbox.moe and Telegraph. That mismatch is dangerous because users may invoke it expecting only summarization, while the skill can expose local secrets or publish extracted content externally without informed consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The wrapper sources both a local .env and $HOME/clawd/.env even though the stated function is only to convert YouTube content into an article. Sourcing shell files executes arbitrary shell code in addition to loading variables, so this expands the trust boundary to unrelated files that may contain secrets or malicious commands.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script uploads locally extracted slide images from the user's requested YouTube processing job to catbox.moe, a separate third-party file host unrelated to the stated YouTube-to-Telegraph transformation workflow. This causes unannounced external disclosure of generated media and creates privacy, retention, and trust risks because the images leave the agent environment and may become publicly accessible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes sending extracted video slides to catbox.moe and publishing generated content to Telegraph, but it does not warn that user-supplied YouTube content and derived media will be transmitted to third-party services. In the context of an agent skill that auto-processes shared YouTube URLs, this creates a real data-disclosure risk because users may not realize their requested content is being externally hosted and made public.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Declaring the skill as the default for all YouTube requests with broad triggers increases the chance of unintended execution. In context, unintended execution matters because this skill performs external uploads and article publication, so accidental invocation can cause privacy and data-handling consequences beyond a simple local summary.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are everyday language such as 'Summarize this video' and 'What's this video about?', which are too broad for a skill that republishes content to third-party services. This broad matching makes accidental activation more likely, especially when a safer non-publishing summarization path may exist.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill does not clearly warn users that it uploads extracted slide images to catbox.moe and creates a Telegraph article, which is a material external disclosure of user-requested content. This is dangerous because users may unknowingly cause content publication or redistribution to persistent third-party hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that OpenAI GPT-5.2 is used for summarization, but it does not clearly warn users that video-derived content and metadata are sent to OpenAI. This is a privacy and compliance concern, particularly for sensitive, private, or copyrighted video material.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script silently loads environment files that commonly contain API keys, tokens, or other credentials, without disclosing that behavior to the user. In an agent skill context, hidden credential loading is risky because the downstream script may use or expose those secrets in ways unrelated to the user’s YouTube request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The upload of slide images to catbox.moe happens silently with no user-facing warning or consent, even though this transmits derived content outside the expected processing boundary. In an agent skill, hidden external data transfer is especially dangerous because users may assume summarization is local or limited to the named destination service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill publishes article content to Telegraph using a token, but gives no clear warning that the summary and associated content will be remotely published. This can expose user-requested content publicly or to a remote account unexpectedly, which is a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints the newly created Telegraph access token directly to the terminal and recommends persisting it in shell profiles or a local .env file without clearly labeling it as a secret. This increases the chance of credential exposure through terminal logs, screen sharing, shell history-adjacent workflows, backup/sync of dotfiles, or accidental inclusion of .env files in source control.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🌐 Publishing..." >&2

RESPONSE=$(curl -s -X POST "https://api.telegra.ph/createPage" \
    -H "Content-Type: application/json" \
    -d "$(jq -n \
        --arg t "$TELEGRAPH_TOKEN" \
Confidence
94% confidence
Finding
curl -s -X POST "https://api.telegra.ph/createPage" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🌐 Publishing..." >&2

RESPONSE=$(curl -s -X POST "https://api.telegra.ph/createPage" \
    -H "Content-Type: application/json" \
    -d "$(jq -n \
        --arg t "$TELEGRAPH_TOKEN" \
Confidence
94% confidence
Finding
https://api.telegra.ph/

Credential Access

High
Category
Privilege Escalation
Content
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

# Source .env if it exists
[[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env"
[[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env"

exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence
96% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

# Source .env if it exists
[[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env"
[[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env"

exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence
96% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# Source .env if it exists
[[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env"
[[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env"

exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence
98% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# Source .env if it exists
[[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env"
[[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env"

exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence
98% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.