Skills
skills/iopho-team/skills/iopho-searching-videos/Gen Agent Trust Hub

iopho-searching-videos

Pass

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on shell command execution for its core functionality. It constructs commands using yt-dlp and python3 which include interpolated user input (e.g., $QUERY, $ARGUMENTS). While this is necessary for the skill's purpose, it requires robust sanitization by the agent to prevent command injection vulnerabilities.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection attack surface.
  • Ingestion points: Untrusted data enters the agent context through video titles, descriptions, and tags retrieved from external platforms (YouTube, Bilibili, etc.) via yt-dlp and DuckDuckGo.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the processing logic.
  • Capability inventory: The skill has access to powerful tools including Bash and python3 interpreters.
  • Sanitization: There is no evidence of metadata sanitization or validation before the content is displayed or processed by the agent.
  • [EXTERNAL_DOWNLOADS]: The skill references and suggests the installation of external packages yt-dlp and duckduckgo-search. These are well-known and widely used tools for video metadata extraction and web searching.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 27, 2026, 07:29 PM