youtube-transcript

This skill is conceptually benign and its capabilities align with the stated purpose: downloading subtitles, detecting textual references to visuals, downloading the video, and extracting frames. The primary security concerns are supply-chain and shell-execution patterns: (1) the troubleshooting guidance recommends a curl | sh installer (deno), which is a high-risk pattern if executed without review, and (2) the skill invokes shell commands that interpolate user-supplied URLs and filenames; without sanitization this can allow command-injection or unexpected behavior. There are no requests for credentials, no third-party proxying of user data, and no evidence of exfiltration endpoints or hidden backdoors. Recommended mitigations: avoid recommending pipe-to-shell installers, sanitize and validate the input URL before shell interpolation, and advise users to install yt-dlp/ffmpeg from trusted package managers or audited binaries. Overall, low probability of malicious intent in the skill itself, but moderate supply-chain risk due to suggested install patterns and execution of third-party CLIs.