The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted external data (YouTube transcripts) and presenting it to the agent for analysis.
Ingestion points: scripts/yt-transcript.sh uses yt-dlp to fetch existing captions or whisper-cpp to generate transcripts from downloaded audio.
Boundary markers: The script adds simple markdown headers (# Video Title, etc.) to /tmp/yt-transcript-{video_id}.txt, but lacks closing delimiters or explicit 'ignore instructions' warnings to the LLM.
Capability inventory: The agent uses a Read tool to load the transcript and then performs analysis, which can be influenced by malicious instructions embedded in the video's captions or spoken audio.
Sanitization: No sanitization is performed on the natural language content of the transcript to prevent prompt injection attacks.
Command/Argument Injection (MEDIUM): The script scripts/yt-transcript.sh passes the user-provided $URL variable directly to several shell commands.
Evidence: yt-dlp --print title "$URL" and yt-dlp -x ... "$URL" in scripts/yt-transcript.sh.
Risk: While the variable is quoted to prevent basic shell expansion, a malicious URL starting with a dash (e.g., --exec='rm -rf /') could be interpreted as a command-line argument by yt-dlp, potentially leading to arbitrary file operations or code execution.
External Downloads (LOW): The README.md and yt-transcript.sh instruct users to download a binary model from HuggingFace.
Evidence: curl -L "https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-base.en.bin".
Context: While HuggingFace is a standard repository for AI models, it is not within the explicitly defined 'Trusted Organizations' list for this audit, warranting a LOW severity note for unverifiable external binary dependencies.

util-youtube-analyzer