youtube-processor
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill targets a specific local path in the user's Documents folder (
/Users/eddale/Documents/COPYobsidian/MAGI/Zettelkasten/) for file writes via thesave_to_obsidianfunction intools/youtube_core.py. Accessing the user's Documents directory is a sensitive operation. The severity is mitigated to MEDIUM because this access is fundamental to the skill's stated purpose of saving notes. - [External Downloads] (LOW): The skill performs network requests to an external Vercel-hosted API (
https://youtube-processor-eight.vercel.app/transcript) viaWebFetchand instructs the installation of theyoutube-transcript-apilibrary. - [Command Execution] (LOW): The skill's workflow involves executing local Python scripts (
get_transcript.py,process_video.py) using theBashtool to perform transcript extraction and processing. - [Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection as it ingests untrusted YouTube transcripts and interpolates them into LLM prompts without sanitization or boundary markers.
- Ingestion points:
tools/get_transcript.pyandapi/main.pyfetch transcript data from external YouTube URLs. - Boundary markers: Absent. The
SUMMARY_PROMPTStemplates intools/youtube_core.pydo not use delimiters (like XML tags or triple quotes) to isolate the untrusted transcript content. - Capability inventory: The skill uses
Bash,Write, andWebFetchtools, which could be exploited if an attacker successfully injects instructions into a transcript. - Sanitization: Absent. The raw text from
youtube-transcript-apiis used directly in the summarization prompt.
Audit Metadata