Skills
skills/kenneth-liao/ai-launchpad-marketplace/youtube-data/Gen Agent Trust Hub

youtube-data

Fail

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The documentation in SKILL.md suggests installing the uv tool using a remote script from https://astral.sh/uv/install.sh. Astral is a well-known service provider in the Python ecosystem.- [REMOTE_CODE_EXECUTION]: The troubleshooting section of the skill mentions a command pattern that pipes a remote script to a shell to install the uv utility.- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes data from untrusted external sources.
  • Ingestion points: The script scripts/youtube_api.py fetches data from the YouTube API, specifically video comments and transcripts.
  • Boundary markers: The skill does not use specific delimiters or instructions to prevent the agent from obeying commands embedded in fetched text.
  • Capability inventory: The script's functions are limited to network requests for data retrieval and do not include file system modifications or system command execution.
  • Sanitization: No sanitization or escaping is performed on the retrieved comment or transcript data before it is returned.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 6, 2026, 10:01 PM