x-youtube-analyzer

All three preliminary reports lack an input code fragment to assess for malware, backdoors, hard-coded credentials, or other supply-chain risks. Report 3 is the best among them by confidence but remains insufficient for any concrete analysis. An improved approach is to request the actual code/dependency fragment (e.g., package source, manifest, or build scripts) and provide a full, structured security assessment once received.

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] Functionally the skill matches its stated purpose (downloading public YouTube videos, extracting media with yt-dlp/ffmpeg, and summarizing with Gemini). I found no direct malicious code or obfuscated backdoors in the provided instruction text. Significant risks are operational: it instructs granting the agent broad shell/network permissions (required_permissions: ["all"]) and reading a plaintext API key from ~/.config/google/profiles.json. Those recommendations increase the chance of credential exposure or unintended data exfiltration if the runtime agent or environment is compromised. Treat the skill as SUSPICIOUS/vulnerable: acceptable if run under strict, least-privilege conditions, with rotated keys, vetted binaries, and network controls; risky if allowed broad agent permissions or run in multi-tenant / untrusted environments. LLM verification: The skill is functionally coherent and does not contain explicit malicious code in the provided fragment. However, it exhibits several high-risk operational patterns: encouraging blanket agent permissions (required_permissions: ['all']), reading long-lived API keys from a predictable local file, and relying on unpinned third-party binaries (ffmpeg, yt-dlp) and installs. These patterns substantially increase supply-chain and credential-exfiltration risk if an agent or dependency is compromised. R