youtube-transcript
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Path Traversal in
scripts/extract_transcript.py. The script accepts an optionalcustom_filenamecommand-line argument which is joined with the target directory (~/Brains/brain/) usingvault_path / custom_filename. There is no validation to prevent directory traversal sequences (e.g.,../), allowing a user or a malicious instruction to overwrite sensitive files outside the intended directory (e.g.,../../.bashrc). - [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection surface (Category 8). The skill ingests data from YouTube, an untrusted external source, and saves it into an Obsidian vault intended for agent context. Ingestion points: Video title, description, and transcript fetched via
yt-dlpinextract_transcript.py. Boundary markers: Absent; the content is placed directly into Markdown and YAML frontmatter without clear delimiters or instructions to ignore embedded commands. Capability inventory: File-write access to the local filesystem. Sanitization: Inadequate; while the script sanitizes titles for the default filename, it does not sanitize the contents of the transcript or description for malicious instructions. - [EXTERNAL_DOWNLOADS] (LOW): Requirement for
yt-dlp. The skill relies on an external utility to fetch and parse content from third-party websites.
Recommendations
- AI detected serious security threats
Audit Metadata