Skills
AGENT LAB: SKILLS
skills/feiskyer/codex-settings/youtube-transcribe-skill/Gen Agent Trust Hub

youtube-transcribe-skill

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill directly interpolates user-provided input ([VIDEO_URL]) into shell commands (yt-dlp --get-title "[VIDEO_URL]"). Although wrapped in quotes, this is a significant injection vector if the agent does not perform strict sanitization of shell-sensitive characters like backticks, subshell tokens, or semicolons.
  • [CREDENTIALS_UNSAFE] (HIGH): The instructions explicitly require the use of --cookies-from-browser=chrome. This grants the yt-dlp tool (and the agent by extension) access to the user's browser profile, which contains sensitive session cookies, authentication tokens, and private user data across all logged-in sites.
  • [PROMPT_INJECTION] (MEDIUM): Category 8 (Indirect Prompt Injection). The skill is designed to ingest untrusted data from an external source (YouTube transcripts) via mcp__chrome__evaluate_script.
  • Ingestion points: YouTube transcript segments fetched from the DOM in Step 3.5.
  • Boundary markers: Absent. The data is joined as raw text and passed to a file-writing tool.
  • Capability inventory: Subprocess calls (yt-dlp), file-write capabilities, and browser automation.
  • Sanitization: Absent. The script directly extracts innerText without filtering for potential instructions.
  • [COMMAND_EXECUTION] (MEDIUM): Step 3.5 uses mcp__chrome__evaluate_script to run arbitrary JavaScript in a browser context. While standard for automation, it increases the attack surface if the script logic is manipulated by injected page content.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 11:57 PM