Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
OpenClaw YouTube Publisher
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed YouTube publishing workflow helper that creates local run records and reports, with no evidence of hidden credential access or unrelated behavior.
Install only if you are comfortable using it with a logged-in YouTube browser profile. Keep final publishing user-approved, review generated reports and screenshots before sharing, and avoid putting cookies, tokens, private paths, or sensitive account details into manifests or notes.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Credential Access
High
- Category
- Privilege Escalation
- Content
### Safety rules - Do not store cookies, secrets, or access tokens in notes or artifacts. - Do not use private absolute filesystem paths in the final bundle. - Treat moderation delays and post-processing lag as publish outcomes to record, not as silent success.
- Confidence
- 70% confidence
- Finding
- access tokens
VirusTotal
66/66 vendors flagged this skill as clean.