youtube
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/transcript.pyis vulnerable to path traversal. Thevideo_idfunction provides a fallback that extracts the first 11 characters of a provided URL if it doesn't match standard YouTube patterns. This identifier is used to construct file paths for searching (glob), reading, and deleting (unlink) files on the local system. If an attacker provides a crafted path-like string as a URL, the script may interact with files outside the intended output directory. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external sources.
- Ingestion points: Untrusted data enters the system through
scripts/transcript.py(which parses YouTube subtitles) andscripts/info.py(which fetches video metadata). - Boundary markers: The skill does not use any delimiters or boundary markers to isolate external content from instructions.
- Capability inventory: The skill can execute commands via
subprocess.run, download content viayt-dlp, and read, write, and delete files in the local directory. - Sanitization: While
scripts/transcript.pycleans technical VTT formatting, it does not sanitize the text for malicious natural language instructions that could manipulate the AI agent's behavior. - [EXTERNAL_DOWNLOADS]: The skill downloads videos, audio, and metadata from YouTube/Google servers using the
yt-dlputility. This is consistent with its primary function.
Audit Metadata