youtube-transcript
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external content and grants the agent file-writing capabilities based on that content.
- Ingestion points: The script
scripts/get_transcript.pyfetches transcript snippets directly from the YouTube API. - Boundary markers: Absent. The transcript text is printed raw to standard output without delimiters or warnings to the agent to ignore embedded instructions.
- Capability inventory:
SKILL.mdexplicitly instructs the agent to save transcripts to files ("save it to the requested file") and to "clean it up," which requires the agent to parse and interpret the untrusted text. - Sanitization: Absent. There is no filtering or escaping of the transcript content before it is passed to the agent.
- Command Execution (LOW): The skill uses the
uvpackage manager to execute a local Python script (scripts/get_transcript.py). This is a standard and expected pattern for this environment. - External Downloads (LOW): The script depends on the
youtube-transcript-apilibrary. While this is a standard community package, it is downloaded from PyPI at runtime. Per [TRUST-SCOPE-RULE], this is a low-risk finding as it is a specific, versioned dependency for a clear purpose.
Recommendations
- AI detected serious security threats
Audit Metadata