Back to skill
Skillv0.1.0
VirusTotal security
Youtube Transcript Api · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:10 AM
- Hash
- 12c4f882c3b35f4dc912bd5b101971555b182ee38eba58c2ce7690a584aba72e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: youtube-transcript-api Version: 0.1.0 The skill bundle is classified as suspicious due to the `webhook_url` parameter described in `SKILL.md`. While its stated purpose is for legitimate asynchronous delivery of ASR transcription results, it represents a risky capability. This parameter allows the API to send potentially sensitive video transcript data to an arbitrary, user-defined URL. If an AI agent is prompted by a malicious user to provide an attacker-controlled `webhook_url`, this could lead to unauthorized data exfiltration of the video transcripts, making it a significant prompt injection vulnerability against the agent.
- External report
- View on VirusTotal