summarize-youtube
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The shell script
scripts/summarize_youtube.shexecutes local binaries includingyt-dlp,whisper-cli, and a user-configurablesummarizetool. Shell variables derived from user input are quoted to mitigate common injection risks.- [EXTERNAL_DOWNLOADS]: Dependencies and environment setup are managed via the Nix package manager, fetching packages from the official Nixpkgs repository. The skill also facilitates the download of AI models forwhisper.cppfrom trusted sources.- [PROMPT_INJECTION]: The skill represents an indirect prompt injection surface because it processes untrusted external content (YouTube transcripts) and provides it to an LLM. - Ingestion points: Untrusted data enters via the YouTube URL processed in
scripts/summarize_youtube.sh. - Boundary markers: The script does not implement specific delimiters or 'ignore' instructions for the processed transcript.
- Capability inventory: The workflow involves executing several subprocesses for media processing and CLI-based summarization.
- Sanitization: No content validation or escaping is applied to the transcript before it is passed to the LLM.
Audit Metadata