youtube-analysis
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runinscripts/fetch_transcript.pyto execute theyt-dlpbinary for fetching video metadata and as a fallback for transcript extraction. - Evidence:
subprocess.run(cmd, ...)is called with a list of arguments, which is a secure way to execute external commands compared to shell strings. - [EXTERNAL_DOWNLOADS]: The skill interacts with YouTube's public interface to retrieve transcripts and metadata.
- Evidence: It uses
youtube-transcript-apiandyt-dlpto communicate withyoutube.comdomains. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection as it ingests untrusted transcript data from YouTube videos.
- Ingestion points:
scripts/fetch_transcript.py(via API oryt-dlp). - Boundary markers: None identified in the prompt logic; the transcript is processed as raw text for analysis.
- Capability inventory: File writing (
analyze_video.py), Subprocess execution (fetch_transcript.py). - Sanitization: Filenames are sanitized in
scripts/utils.py:sanitize_filename.
Audit Metadata