tl;dw - YouTube Video Summarizer

Security checks across malware telemetry and agentic risk

Overview

This YouTube summarizer is mostly purpose-aligned, but it can use browser session cookies while disabling certificate checks, which creates account-session risk users are not clearly warned about.

Review before installing. Prefer using it only for public YouTube videos without cookies. If you use cookies, treat the cookie file like a password, keep it out of shared folders and source control, delete it after use, and avoid untrusted networks unless certificate checking is restored.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to export and use browser cookies to access age-restricted or members-only YouTube content, but it does not warn that cookie files are highly sensitive authentication material. If mishandled, stored insecurely, or reused improperly, these cookies could enable unauthorized access to the user's account session and expose private account data or paid content.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The documentation advertises local caching of transcripts without warning that transcript text and associated metadata will be persisted on disk. This can expose potentially sensitive viewing activity, extracted content, titles, descriptions, and related metadata to other local users, backups, or forensic recovery if the host is shared or insufficiently secured.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal