Skills
skills/kouko/monkey-knowledge-youtube-skills/mk-youtube-transcript-summarize/Snyk

mk-youtube-transcript-summarize

Warn

Audited by Snyk on Feb 25, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests YouTube transcript files (user-generated, potentially untrusted content) as part of its core workflow — SKILL.md (Processing Strategy) and scripts/summary.sh require the agent or spawned subagents to "Read the entire file with the Read tool" and the chunked subagent prompt instructs subagents to read transcript line ranges and produce summaries, so third-party transcript content directly influences tool actions and synthesis.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill's ensure_jq utility auto-downloads and installs a jq binary at runtime from the GitHub release URL (e.g. https://github.com/jqlang/jq/releases/download/jq-1.7.1), which fetches and executes remote code that the skill requires for operation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 25, 2026, 12:00 PM