youtube-uploader
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [NO_CODE] (SAFE): The main implementation logic file 'youtube-upload.ts' is missing from the provided files. The analysis is performed on the documentation, setup guides, and package manifest.
- [EXTERNAL_DOWNLOADS] (SAFE): The package.json file specifies standard, well-known dependencies ('googleapis', 'dotenv', 'open') to be installed via the official npm registry.
- [COMMAND_EXECUTION] (LOW): The skill documentation suggests executing commands via 'npx ts-node' to run the upload script. While this involves local command execution, it is the expected operation for this type of tool.
- [CREDENTIALS_UNSAFE] (SAFE): The skill manages sensitive OAuth2 credentials using a '.env' file for Client secrets and a local '.youtube-token.json' for access tokens. This follows standard local development practices for API integration and does not represent a security flaw in the skill's design.
- [PROMPT_INJECTION] (LOW): The skill presents an indirect prompt injection surface as it processes external data (video titles and descriptions). 1. Ingestion points: Video metadata passed via CLI arguments to 'youtube-upload.ts'. 2. Boundary markers: None described in documentation. 3. Capability inventory: Network access via YouTube Data API and file read access. 4. Sanitization: Not verifiable as the script code is missing.
Audit Metadata