skills/kouko/monkey-knowledge-youtube-skills/mk-youtube-search/Snyk

mk-youtube-search

Warn

Audited by Snyk on Feb 25, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill's search.sh (and SKILL.md) invoke yt-dlp to fetch public YouTube results (titles, descriptions, upload_date, etc.) and parse/store that user-generated content into /tmp/monkey_knowledge/youtube/meta/, so untrusted third‑party content is ingested and can influence downstream behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill's runtime auto-downloads required binaries from GitHub release URLs (e.g., https://github.com/jqlang/jq/releases/download/jq-1.7.1 and https://github.com/yt-dlp/yt-dlp/releases/latest/download), which are fetched and then executed as program dependencies, so remote content can execute code on the host.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 25, 2026, 12:00 PM