online-content-collector
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes external commands (yt-dlp, gallery-dl) to process downloads. Analysis confirms these are called using
subprocess.run()with argument lists (shell=False), which is a secure practice that prevents shell injection attacks. - [EXTERNAL_DOWNLOADS]: The skill downloads content from external websites (primarily YouTube and X/Twitter) as requested by the user's notes. These operations are conducted through established tools and targeted at well-known services.
- [DATA_EXFILTRATION]: No evidence of unauthorized data transmission was found. The skill processes local Markdown files to extract URLs and writes the downloaded content back to the local Obsidian vault.
- [CREDENTIALS_UNSAFE]: No hardcoded API keys, tokens, or credentials were detected in the scripts or configuration files.
- [REMOTE_CODE_EXECUTION]: The skill does not download or execute arbitrary scripts from the internet; it relies on pre-installed system tools.
- [SAFE]: The Python scripts use
yaml.safe_load()for parsing data blocks, preventing YAML-based code execution vulnerabilities. Filenames are sanitized before directory creation to prevent path traversal issues.
Audit Metadata