youtube-trending-scanner

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks the agent to request and store the user's YouTube API key ("Please paste your key") and provides a run command pattern (YT_API_KEY=API_KEY ...) that would require embedding the secret verbatim, creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md Steps 3–8) instructs the agent to call the YouTube Data API v3 (search.list, videos.list, channels.list) to ingest public, user-generated YouTube metadata (titles, tags, stats), save and read trending_data.json, and then base report-generation and recommendations on that data—therefore it clearly consumes untrusted third‑party content that can influence actions.