ytmusic-hub

No clear evidence of classic malware (e.g., reverse shells, persistence, or direct credential exfiltration) is visible in this fragment. The dominant finding is high-risk behavior: the module globally disables TLS certificate and hostname verification in urllib3 and globally overrides socket.getaddrinfo to redirect selected domains to runtime-determined IPs derived from DoH. This substantially weakens transport-layer security and can enable MITM/traffic redirection, making the dependency dangerous unless carefully sandboxed and justified in a trusted environment.

SUSPICIOUS: The core purpose matches YouTube Music management, and the main library comes from an official registry, but the skill handles raw browser cookies, stores reusable auth headers locally, and explicitly disables SSL verification while patching DNS/network resolution. Those controls are disproportionate and create substantial credential and account-action risk even without clear evidence of third-party exfiltration.