Back to skill

Security audit

Keyapi Youtube

Security checks across malware telemetry and agentic risk

Overview

The skill looks like a legitimate KeyAPI YouTube integration, but it stores API credentials in shell startup files and provides broad live API/file helper commands that deserve review before installation.

Install only if you are comfortable giving the skill a KeyAPI token and letting it make live KeyAPI requests for YouTube data. Prefer setting KEYAPI_TOKEN only for the active session or using a secret manager instead of the setup script’s persistent shell-profile storage. Avoid --token on shared machines, do not point --query-file, --body-file, or --image-file at sensitive local files, and use --output-file only in a workspace or temporary path you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script persistently stores a bearer token in plaintext inside shell startup files such as .zshrc, .bashrc, .profile, or PowerShell profiles. This increases exposure because local users, backup systems, dotfile sync tools, crash reports, or later scripts may read the token, turning a convenience feature into long-lived credential leakage risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script is effectively a generic authenticated HTTP client for the entire KeyAPI YouTube namespace, not a narrowly constrained YouTube-analysis helper. It accepts arbitrary methods, paths/endpoints, query/body data, and file-backed inputs, which expands capability beyond the declared skill purpose and increases the chance of misuse, data exfiltration, or invoking unintended API operations if the surrounding agent is compromised or prompted maliciously.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads the user's shell profile files and parses a managed block to recover KEYAPI_TOKEN, which accesses local sensitive files unrelated to the immediate YouTube analysis task. Even though it targets a specific variable, this creates unnecessary filesystem access to secret-bearing files and normalizes credential harvesting behavior in a skill that should rely on explicitly provided runtime secrets.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script can read arbitrary local files via --query-file, --body-file, and --image-file, then transmit their contents to a remote API or save full responses to arbitrary output paths. In a prompt-influenced agent context, this creates a direct local file disclosure and filesystem write primitive that exceeds the stated YouTube data-analysis scope and could be abused to exfiltrate secrets or overwrite user files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file explicitly states that API calls are 'live by default' and that repeating the same parameters triggers another outbound request, but it does not require a clear user-facing warning or confirmation before transmitting user-provided data to a third-party service. In a skill that processes arbitrary YouTube queries, channel URLs, video URLs, and possibly sensitive research topics, this can cause unintentional disclosure of user inputs and repeated external transmission without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.secret_argv_exposure

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/keyapi-api.mjs:127

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
references/setup-and-auth.md:42