skills/kouko/monkey-knowledge-youtube-skills/mk-youtube-get-channel-latest/Snyk

mk-youtube-get-channel-latest

Warn

Audited by Snyk on Feb 25, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill (see scripts/channel-latest.sh and SKILL.md) uses yt-dlp to fetch/dump JSON from public YouTube channel tabs (/videos, /shorts, /streams, /podcasts) and ingests titles/descriptions and other user-generated metadata into its output and centralized metadata store, so untrusted third-party content can influence downstream behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). At runtime the skill auto-downloads and then executes platform-specific binaries from GitHub release URLs (notably https://github.com/yt-dlp/yt-dlp/releases/latest/download/... for yt-dlp and https://github.com/jqlang/jq/releases/download/jq-1.7.1/... for jq), so remote content is fetched and executed as required dependencies.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 25, 2026, 12:00 PM