yt-dlp
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill facilitates the ingestion of untrusted data from external platforms (YouTube and other sites).
- Ingestion points: External URLs and metadata extraction via
--dump-json,--get-description, and--get-title(SKILL.md). - Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between data and potential malicious commands embedded in video metadata.
- Capability inventory: The skill enables subprocess calls for file-writing (
-o), network operations (video downloading), and credential handling. - Sanitization: None. The agent is directed to extract raw metadata which can contain hidden instructions targeting the agent's logic.
- [Command Execution] (MEDIUM): The skill provides complex shell command templates that perform side-effect operations including writing to the local filesystem and performing arbitrary network requests to external domains.
- [Credentials Unsafe] (LOW): The documentation includes examples of passing usernames and passwords in plaintext via command-line arguments (
-u user -p pass). While these are placeholders, they encourage insecure practices that expose credentials to process-listing tools (e.g.,ps).
Recommendations
- AI detected serious security threats
Audit Metadata