Skills
skills/aeonbridge/ab-anthropic-claude-skills/yt-dlp/Snyk

yt-dlp

Warn

Audited by Snyk on Feb 21, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching and parsing arbitrary public URLs (e.g., yt-dlp "URL" examples and the "Information Extraction" commands like --dump-json/--get-title and the Python example ydl.extract_info('URL', download=False')) from user-generated sites (YouTube, Reddit, Twitter/X, etc.), so untrusted third‑party content is read and could materially influence subsequent tool actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes explicit sudo-based installation steps (writing to /usr/local/bin, apt add-apt-repository/install, sudo chmod, etc.) that instruct modifying system files and require root privileges, so it pushes state-changing privileged actions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 21, 2026, 01:44 AM