skills/kouko/monkey-knowledge-youtube-skills/mk-youtube-get-audio/Snyk

mk-youtube-get-audio

Warn

Audited by Snyk on Feb 25, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill's audio.sh script calls yt-dlp to fetch metadata and download audio from arbitrary public YouTube URLs (user-generated content) — see fetch_metadata and download_audio — and it uses that metadata to decide retries, cookie fallback and subsequent actions, so untrusted third-party content can influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's runtime scripts auto-download and then execute required binaries from GitHub (yt-dlp: https://github.com/yt-dlp/yt-dlp/releases/latest/download and jq: https://github.com/jqlang/jq/releases/download/jq-1.7.1), which fetches remote code that is executed as a required dependency.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 25, 2026, 12:00 PM