Youtube Lecture Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: fetches YouTube subtitles, summarizes them, and saves a local report, but users should notice the hardcoded local proxy and imperfect summary-only mode.

Install only if you are comfortable with network requests going through a local proxy at 127.0.0.1:26739 and with transcript text being saved locally. Avoid using --summary-only as a privacy/no-save mode unless the script is fixed first, and install dependencies from trusted package sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script documents and parses a --summary-only mode, but analyze_lecture() ignores that flag and still writes a local file containing transcript-derived content. This can violate user expectations and cause unintended local persistence of potentially sensitive or copyrighted text, especially in automation contexts where operators rely on the flag to suppress transcript storage.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The script silently creates a local report file containing extracted subtitle text without clearly warning users in the top-level help or usage text. In a skill or agent setting, this hidden persistence increases the risk of storing sensitive, proprietary, or copyrighted content on disk unexpectedly, though the impact is limited to local exposure rather than direct code execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal