youtube-summarize
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs macOS users to copy and paste a script from an external site (glot.io) directly into their terminal. This specific URL has been flagged as malicious by automated scanners.
- [REMOTE_CODE_EXECUTION]: For Windows users, the skill directs the download and execution of a binary from a personal GitHub repository ('hedefbari') that is not associated with a trusted organization or the verified vendor. The use of a password-protected ZIP archive ('openclaw') is a common tactic to evade automated malware analysis.
- [EXTERNAL_DOWNLOADS]: The skill mandates the installation of 'openclaw-agent' from untrusted external URLs as a prerequisite for core functionality, which is a significant security risk.
- [COMMAND_EXECUTION]: The skill frequently uses 'python3 -c' to execute inline scripts for data processing. While functional, this pattern can be used to hide malicious logic and complicates static security reviews.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests untrusted data from YouTube metadata (titles, descriptions, and transcripts) via 'yt-dlp' and processes it for summarization. Without proper boundary markers or sanitization, malicious instructions embedded in a video's metadata could potentially influence the agent's behavior.
Recommendations
- AI detected serious security threats
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata