Skills
skills/psw7205/skills/video-subtitle-dl/Snyk

video-subtitle-dl

Fail

Audited by Snyk on Mar 26, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill instructs adding auth flags like --username/--password or embedding cookies when retrying commands, which would require the agent to include user-provided credentials verbatim in generated commands — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's scripts and SKILL.md explicitly fetch subtitles from user-supplied public video URLs (YouTube, Vimeo, etc.) via yt-dlp (see scripts/fetch-subs.sh and SKILL.md) and then read and translate those untrusted, user-generated subtitle files as part of its workflow (references/translation-guide.md says the original subtitle file is read for translation), so third-party content can directly influence processing and outputs.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 26, 2026, 01:55 AM
Issues
2