youtube-outliers
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) in the transcript summarization process.
- Ingestion points: Raw transcript text is fetched from YouTube via an Apify actor in
scripts/scrape_youtube_outliers.pyandscripts/update_transcripts.py. - Boundary markers: None. The transcript is directly interpolated into the prompt string using f-strings:
f"""... Transcript: {text[:100000]} ...""". - Capability inventory: The script can execute local system commands via
subprocess, perform network requests to Apify and Anthropic APIs, and write data to Google Sheets. - Sanitization: No escaping or validation is performed on the transcript content before it is sent to the LLM. An attacker could embed instructions in a video transcript to manipulate the resulting summary or attempt to influence the agent's behavior.
- [COMMAND_EXECUTION]: The script
scripts/scrape_youtube_outliers.pyexecutes the external binaryyt-dlpusingsubprocess.run. - Evidence: Multiple calls to
run_ytdlp(cmd)wherecmdincludes theyt-dlpcommand and user-provided or scraped arguments (keywords, channel URLs). - Mitigation: The script uses the list format for
subprocess.runwhich prevents shell-level command injection, but the skill depends on the presence and integrity of an external executable not managed by the skill itself.
Audit Metadata