youtube-analysis
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were detected. The skill uses established and reputable libraries for its primary functionality.\n- [COMMAND_EXECUTION]: The skill executes the yt-dlp command using subprocess.run with a list of arguments, which is the recommended method to prevent command injection. Furthermore, all YouTube URLs and IDs are validated via regular expressions before processing.\n- [EXTERNAL_DOWNLOADS]: The skill requires the installation of standard Python packages (yt-dlp and youtube-transcript-api). These are well-known tools from the community with no signs of typosquatting or malicious sources.\n- [PROMPT_INJECTION]: The skill involves an indirect prompt injection surface as it processes external content from YouTube transcripts.\n
- Ingestion points: Transcripts and metadata are fetched in scripts/fetch_transcript.py.\n
- Boundary markers: The skill structures the analysis using patterns in references/analysis-patterns.md but does not use explicit delimiters to isolate transcript text from instructions.\n
- Capability inventory: The skill uses subprocess.run to call yt-dlp and Path.write_text to create markdown output files.\n
- Sanitization: Input validation is performed on URLs and file paths, though the content of the transcript itself is processed without filtering.
Audit Metadata