mk-youtube-get-info

The skill’s described functionality is legitimate for fetching YouTube metadata and driving a summarization pipeline. However, it contains significant supply-chain and privacy risks: (1) auto-downloading and executing external binaries from unspecified sources without integrity checks is a high supply-chain risk; (2) automatically reading local browser cookie stores gives access to sensitive credentials and should require explicit, scoped consent; (3) centralized metadata files in /tmp are accessible to other local processes and may leak sensitive information. There is no direct evidence of malicious code in the provided description, but the combination of these capabilities increases the risk profile. Recommend blocking or requiring review/mitigations before deployment: pin/verify downloads, remove or make cookie access explicit and opt-in, and harden metadata storage.