The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (CRITICAL): The skill mandates cloning an untrusted external repository (kimtaeyoon83/mcp-server-youtube-transcript) and running npm install and npm run build. This provides a direct path for arbitrary code execution via malicious npm lifecycle scripts or build steps from a non-whitelisted source.
[COMMAND_EXECUTION] (HIGH): In SKILL.md (Step 2), the skill executes a shell command using node -e that interpolates a VIDEO_ID derived from user input. A maliciously crafted ID (e.g., using single quotes or shell metacharacters) could break out of the JavaScript string or the shell command to execute arbitrary code.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. Evidence Chain: 1. Ingestion point: YouTube transcripts fetched via the MCP server. 2. Boundary markers: Absent; transcript content is processed directly into the prompt for summarization. 3. Capability inventory: Significant write capabilities including file creation in /root/ and sending files/messages via the Telegram message tool. 4. Sanitization: Absent; the skill lacks any filtering or escaping for external content. A transcript containing malicious instructions could hijack the agent to exfiltrate data or perform unauthorized messaging.
[EXTERNAL_DOWNLOADS] (HIGH): The skill relies on an external dependency from a source not included in the Trusted External Sources list. Per [TRUST-SCOPE-RULE], this is treated as a high-risk finding.
[PRIVILEGE_ESCALATION] (MEDIUM): The skill instructions and code assume the agent is running in the /root/ directory, which indicates an expectation of root-level privileges. This significantly increases the blast radius of any successful exploit.

youtube-summarizer