Youtube Instant Article

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can automatically upload video-derived images and publish summaries externally when a user may have only asked for a YouTube summary.

Install only if you are comfortable with YouTube-derived text and images being sent to OpenAI/summarize, catbox.moe, and Telegraph, and potentially becoming publicly accessible. Use a dedicated least-privilege Telegraph token, avoid sourcing broad .env files, and treat this as a publish-to-article tool rather than a default private YouTube summarizer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (15)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill's top-level description focuses on summarizing YouTube videos into Telegraph articles, but the documentation reveals additional data flows to third-party services such as catbox.moe and Telegraph. This mismatch is dangerous because users and operators may not realize that extracted images, video-derived content, and potentially account-related setup actions are sent or persisted outside the expected summarization path.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The quick-start command instructs sourcing a local `.env` file that contains API secrets before running the script. This broadens the skill's effective access beyond the immediate task and increases the risk of accidental secret exposure through shell execution, subprocess inheritance, debug output, or misuse by modified scripts.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The wrapper sources both a local .env and a user-home .env before running the YouTube article generator, which expands the skill's trust boundary far beyond its stated purpose. Because shell 'source' executes the file as code, a crafted or compromised .env can run arbitrary commands or inject sensitive values into downstream behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly promotes uploading extracted video frames to catbox.moe with 'no expiration' but does not warn users that video-derived images may be stored indefinitely on a third-party host outside the user's control. In a skill that processes arbitrary YouTube links and republishes outputs, this omission creates a real privacy and content-governance risk because copyrighted, sensitive, or unintended frames may be permanently exposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README describes summarization and Telegraph publishing as core features but does not clearly disclose that video content, metadata, summaries, and generated article content are sent to external services including OpenAI, Telegraph, and catbox.moe. For a default YouTube-processing skill, this is a meaningful security/privacy issue because users may assume local processing while the skill actually republishes or transmits third-party content off-platform.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Declaring this as the default skill for all YouTube requests creates an overly broad trigger surface, increasing the chance the skill runs in contexts where the user did not intend article creation or external publication. In this skill, that is more dangerous because invocation can lead to content extraction, third-party uploads, and API-backed publishing rather than a local-only summary.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes output features but does not clearly warn that video-derived data and generated assets are sent to external services including OpenAI, catbox.moe, and Telegraph. Lack of disclosure undermines informed consent and can expose sensitive or copyrighted content to third parties unexpectedly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script silently loads environment files that commonly contain API keys, tokens, or other secrets, without disclosing this behavior to the user. In an agent skill context, this is risky because the loaded secrets may influence subcommands or be exposed to child processes unrelated to the requested YouTube summarization task.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script uploads extracted video slides to catbox.moe, a third-party file host, without any explicit notice or consent flow. Even if the source is a public YouTube video, the generated slide set and any derived artifacts are transmitted off-platform, which can violate user expectations, privacy requirements, or data-handling policies.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script sends generated article content to Telegraph and includes the TELEGRAPH_TOKEN in the request body, but provides no explicit warning that data and credentials are being transmitted to an external service. This creates a data-governance risk and can expose sensitive derived content or operational secrets to third-party infrastructure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script prints the newly created Telegraph access token directly to stdout and then instructs the user to persist it in shell startup files or a local .env file without any warning about secret handling. This increases the risk of accidental disclosure through terminal logs, shell history, screen sharing, backups, or committing .env/profile changes to source control.

Credential Access

High

Category: Privilege Escalation
Content: SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" # Source .env if it exists [[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env" [[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env" exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence: 96% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" # Source .env if it exists [[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env" [[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env" exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence: 96% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: # Source .env if it exists [[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env" [[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env" exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence: 98% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: # Source .env if it exists [[ -f "$SCRIPT_DIR/.env" ]] && source "$SCRIPT_DIR/.env" [[ -f "$HOME/clawd/.env" ]] && source "$HOME/clawd/.env" exec "$SCRIPT_DIR/scripts/generate.sh" "$@"
Confidence: 98% confidence
Finding: .env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal