Youtube Lecture Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill fetches a user-chosen YouTube transcript and saves a local analysis report, with disclosed caveats around a hardcoded local proxy and transcript storage.

Install only if you expect to use a local HTTP/HTTPS proxy on 127.0.0.1:26739 and trust whatever service is listening there. Run the skill in a directory where generated transcript reports are acceptable, and do not rely on --summary-only to avoid storing transcript text.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The script advertises a '--summary-only' mode, but the implementation still fetches the full transcript and writes transcript text to disk. This is a real security/privacy issue because users may reasonably rely on the flag to avoid full data retention, yet the code processes and persists substantially more content than the interface promises.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script automatically writes a lecture analysis file containing up to 10,000 characters of transcript text to local disk without explicit prior consent or a dedicated opt-in. This creates a privacy and data-handling risk, especially if transcripts contain sensitive, licensed, or unexpected content and the user only intended ephemeral analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal