youtube-to-markdown
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection from YouTube transcripts. An attacker could embed malicious instructions in video subtitles to manipulate the summary or cleaning steps.
- Evidence: Steps 5-8 in
SKILL.mdinterpolate transcript content directly into LLM prompts with instructions to "Action Required: Use the Write tool NOW... Do not ask for confirmation." This automated chain lacks human verification for the output of untrusted data. - Ingestion Points: YouTube metadata and transcripts fetched via
extract_transcript.pyandextract_transcript_whisper.py. - Boundary Markers: Prompts for subagents in
SKILL.mddo not use delimiters (like XML tags) or specific instructions to ignore embedded commands within the transcript text. - Capability Inventory: The agent is granted
Bash,Read, andWritepermissions. - Sanitization: The skill does not sanitize or escape transcript content before passing it to the LLM subagents.
- EXTERNAL_DOWNLOADS (LOW): The skill relies on downloading data from external sources and suggests installing third-party tools.
- Evidence: The scripts use
yt-dlpto download video data and audio. The documentation and scripts (extract_transcript_whisper.py) suggest installing packages likeopenai-whisperandmlx-whisper. - COMMAND_EXECUTION (SAFE): The skill demonstrates safe command execution patterns for its internal operations.
- Evidence: Scripts in
shared_types.pyandextract_transcript_whisper.pyusesubprocess.runwith list-based arguments, preventing shell injection vulnerabilities. Critical parameters like Video IDs are validated via regex ([a-zA-Z0-9_-]+) before use.
Audit Metadata