Security audit

YouTube Transcript Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it may automatically download and run an unverified helper program on the user's machine.

Install only if you are comfortable with the skill running a shell script and contacting YouTube/GitHub. Safer use is to install a trusted, pinned yt-dlp yourself first, review the script, and avoid letting it auto-download executables into your home directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill instructs use of a shell script and, per the finding context, that script can download and install yt-dlp without any declared permissions or trust boundary disclosure. Undeclared shell/network execution increases supply-chain and execution risk because operators may invoke the skill assuming it is documentation-only or lower privilege than it actually is.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior materially differs from the actual capability: it claims broad transcript analysis for any YouTube URL, but the implementation reportedly fetches a binary from GitHub via curl and has narrower subtitle/language support. This mismatch is dangerous because it can hide unexpected code download/execution and cause users or systems to authorize the skill under false assumptions.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script silently expands its capabilities from transcript extraction to software installation by downloading and placing a third-party executable in the user's home directory. This creates a supply-chain and trust-boundary risk because a network-fetched binary is executed without verification, consent, or pinning, which is more dangerous than the skill's stated purpose implies.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Downloading an executable from GitHub and then relying on it for execution is a genuine supply-chain risk. Even if the upstream project is legitimate, pulling the 'latest' binary without integrity verification, version pinning, or user approval exposes users to compromise from tampering, account takeover, or unexpected upstream changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script writes an executable into ~/yt-dlp and changes its permissions without any upfront warning or consent. That behavior is risky because it modifies the user's environment unexpectedly and may normalize execution of unreviewed software, increasing the blast radius beyond simple transcript extraction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal