youtube-music
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires downloading the
@instructa/mcp-youtube-musicpackage from the npm registry usingnpx. - [COMMAND_EXECUTION]: The server is executed via the
npxcommand line tool as part of its standard operation. - [PROMPT_INJECTION]: The skill interacts with untrusted data from the YouTube Music API, creating a surface for indirect prompt injection.
- Ingestion points: Track titles and artist descriptions from the
searchTrackandplayTracktools in SKILL.md enter the agent context. - Boundary markers: No specific delimiters or instruction-ignore warnings are present in the configuration.
- Capability inventory: The skill executes shell commands via
npxand can trigger browser navigation through theplayTracktool. - Sanitization: Responsibility for sanitizing API content is handled by the external
@instructa/mcp-youtube-musicpackage.
Audit Metadata