The Agent Skills Directory

[Command Execution] (MEDIUM): Potential path traversal in script execution. Evidence: In scripts/get_youtube_transcript.py, the get_video_id function extracts an identifier from the user-supplied URL. This identifier is used directly to create a local filename at line 122. Impact: An attacker could provide a URL containing path traversal sequences (e.g., ../) to attempt writing files to arbitrary locations.
[Indirect Prompt Injection] (LOW): Vulnerability surface for untrusted external data. Ingestion points: get_youtube_transcript.py fetches transcript text from YouTube servers. Boundary markers: Absent. The transcript is processed as raw text and saved/printed without delimiters. Capability inventory: The skill writes files to the local disk and prints to terminal. Sanitization: None. The script does not filter or escape the transcript content fetched from the external source.
[External Downloads] (SAFE): The skill depends on youtube-transcript-api and fetches data from YouTube. These actions are expected given the skill's description.

YouTube Transcript Extractor