mk-youtube-get-channel-latest
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads official binaries for the jq and yt-dlp utilities directly from their respective GitHub release pages (jqlang/jq and yt-dlp/yt-dlp). These are well-known technology tools and are treated as safe external sources.
- [REMOTE_CODE_EXECUTION]: The skill includes a build script, _utility__build_ytdlp.sh, which creates a local standalone binary for yt-dlp. It uses pip to install standard packages (yt-dlp, pyinstaller) from the Python Package Index (PyPI) in a virtual environment. This process is used for platform compatibility and does not execute untrusted remote code.
- [COMMAND_EXECUTION]: The main script channel-latest.sh uses subprocess calls to execute yt-dlp and jq for content extraction and JSON parsing. User-supplied arguments, such as channel identifiers or video URLs, are properly enclosed in double quotes within the shell scripts to prevent command injection.
- [SAFE]: The skill stores partial video metadata in the system's temporary directory (/tmp/monkey_knowledge/youtube/meta/). This facilitates data sharing with other skills in the toolset while maintaining appropriate filesystem isolation.
Audit Metadata