Skills
skills/browser-act/skills/youtube-video-api-skill/Gen Agent Trust Hub

youtube-video-api-skill

Pass

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill interacts with api.browseract.com, which is an official domain owned by the vendor 'browser-act'. This communication is necessary for the skill's stated functionality and involves no sensitive local file access.
  • [SAFE]: Credential management is handled securely by requiring the BROWSERACT_API_KEY to be provided as an environment variable or via user input, avoiding hardcoded secrets.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it retrieves and processes untrusted data from YouTube (video titles and channel metadata).
  • Ingestion points: Data is fetched from the BrowserAct API in scripts/youtube_video_api.py.
  • Boundary markers: No explicit delimiters or warnings are used to wrap the retrieved content.
  • Capability inventory: The skill executes a Python script via the shell but does not demonstrate arbitrary code execution or file-write capabilities on the ingested data.
  • Sanitization: The script does not sanitize the text content returned by the YouTube API before outputting it.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 30, 2026, 02:30 PM