Skills
skills/kenneth-liao/ai-launchpad-marketplace/youtube-data/Snyk

youtube-data

Fail

Audited by Snyk on Mar 6, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 1.00). Although the Google Cloud Console and documentation URL are legitimate, the bundle includes a direct .sh installer hosted on a third‑party domain (https://astral.sh/uv/install.sh) and the skill advises running it (curl|sh style), which is a high‑risk pattern because remote shell scripts can easily deliver malware if the publisher is untrusted or compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). This skill fetches and returns public, user-generated YouTube content (video transcripts via youtube-transcript-api and comments/video descriptions via the YouTube Data API) as part of its core workflow (see scripts/youtube_api.py functions get_video_transcript, get_video_comments, get_enhanced_transcript and the SKILL.md which documents fetching transcripts and comments), so untrusted third-party content can directly influence downstream processing.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 6, 2026, 10:01 PM