Skills
skills/nikiandr/goose-skills/youtube-watcher/Gen Agent Trust Hub

youtube-watcher

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/get_transcript.py uses subprocess.run with a list of arguments to invoke yt-dlp. This correctly avoids shell injection by not using shell=True and passing arguments as discrete list items.
  • [EXTERNAL_DOWNLOADS]: The skill depends on yt-dlp, a well-known open-source tool. Installation instructions reference official package managers (pip, brew).
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting external YouTube transcripts (ingestion: scripts/get_transcript.py). It lacks specific boundary markers but performs regex-based sanitization of VTT metadata. The agent's capability is limited to summarizing the extracted text.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 05:17 PM