The Agent Skills Directory

Prompt Injection (MEDIUM): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: The watch.py script ingests untrusted external content via the url parameter and user-provided instructions via the prompt parameter.
Boundary markers: Absent. The script does not use delimiters or system instructions to differentiate between the user's request and the potentially adversarial content within the video/audio stream.
Capability inventory: While the script's immediate output is limited to text, it is designed for use within an agent framework (OpenClaw). If the downstream agent uses this output to make decisions or execute other tools, the risk escalates to the highest privilege available to that agent.
Sanitization: None. Raw input is passed directly to the google-genai client.
Metadata Poisoning (MEDIUM): The SKILL.md file contains misleading information (Category 7).
Evidence: References to non-existent models like gemini-2.5-flash, gemini-2.5-pro, and gemini-3-flash-preview may lead users or automated agents to make incorrect assumptions about the skill's capabilities or state of development.
Data Exposure (LOW): The script accesses the GOOGLE_API_KEY environment variable. This is a standard practice and not a finding of hardcoded credentials, but it confirms the skill operates with the user's API privileges.

watch-youtube