youtube-watcher
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata and instructions specify a dependency on the external utility 'yt-dlp'. It provides instructions for installation via system package managers like Homebrew or Python's pip registry. While 'yt-dlp' is a standard tool for media metadata retrieval, its presence introduces an external dependency that must be managed by the user.\n- [COMMAND_EXECUTION]: The script 'scripts/get_transcript.py' invokes the 'yt-dlp' binary using the 'subprocess.run' function. The implementation correctly passes command arguments as a list rather than a single string, which effectively mitigates common shell injection vulnerabilities even when processing user-provided URLs.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its processing of YouTube subtitles.\n
- Ingestion points: The 'scripts/get_transcript.py' script downloads and reads content from external '.vtt' subtitle files hosted on YouTube servers.\n
- Boundary markers: The cleaned transcript text is printed directly to stdout for the agent's consumption without any delimiters or instructions indicating that the content is untrusted or should be ignored if it contains commands.\n
- Capability inventory: The skill has the capability to execute subprocesses ('yt-dlp') and read from the local file system (temporary directory).\n
- Sanitization: The clean_vtt function focuses exclusively on removing technical VTT formatting tags (timestamps, headers) but performs no validation or filtering of the actual text content to identify or strip potential malicious instructions.
Audit Metadata