Skills
skills/nikhilbhansali/youtube-data-skills/youtube-trending-scanner/Gen Agent Trust Hub

youtube-trending-scanner

Pass

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command that includes user-provided input (the niche name) as a command-line argument. If the niche name is not properly sanitized or escaped by the agent, it could lead to arbitrary command execution on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the google-api-python-client package from the official Python Package Index (PyPI). This is a well-known library from a trusted organization used for its intended purpose.
  • [PROMPT_INJECTION]: The skill processes untrusted data from YouTube (video titles, tags, and channel names) and later instructs the agent to read this data to generate a report. This creates a surface for indirect prompt injection, where malicious content embedded in video metadata could influence the agent's behavior during the report generation phase.
  • Ingestion points: Data is fetched from the YouTube Data API and saved to trending_data.json in Step 7.
  • Boundary markers: None are specified for the ingested content in the report generation phase.
  • Capability inventory: The skill performs shell executions (pip install, python execution, file removal) in Steps 4, 5, and 6.
  • Sanitization: The Python script uses basic regex to sanitize the niche name for a directory path, but the shell command in Step 5 does not explicitly define sanitization for the niche argument.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 30, 2026, 07:55 AM