youtube-wisdom
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The
scripts/download_video.shscript usesevalto executeyt-dlpwhen cookie support is enabled. The$video_urlargument is interpolated into the eval string without sufficient sanitization, which allows an attacker to execute arbitrary shell commands by providing a malformed URL (e.g., using semicolons or backticks). - Evidence:
eval yt-dlp ... "$video_url"inscripts/download_video.sh. - DATA_EXPOSURE (MEDIUM): The download script automatically scans for and attempts to access browser cookie databases (Chrome, Firefox, Safari, etc.) to bypass YouTube restrictions. This grants the skill access to sensitive session data and authentication tokens stored on the host machine.
- Evidence: The
download_transcriptfunction inscripts/download_video.shiterates through browser config directories in~/.config/. - INDIRECT_PROMPT_INJECTION (LOW): The skill processes untrusted external data (YouTube transcripts) and uses it to drive agent analysis and directory renaming. There are no boundary markers or instructions to ignore embedded commands within the transcript, making it susceptible to indirect prompt injection if a video contains malicious subtitles.
- Ingestion points:
scripts/download_video.shdownloads transcripts to*- transcript.txt. - Boundary markers: None. The instructions in
SKILL.mddirectly ask the agent to 'Read the transcript file' and perform analysis. - Capability inventory: File system modification (
mv,rm), shell script execution (bash scripts/send_notification.sh). - Sanitization: None applied to the transcript content before processing.
- EXTERNAL_DOWNLOADS (LOW): The skill relies on
yt-dlpto fetch content from YouTube. While YouTube is a known source, the use of external binaries and network requests to fetch unverified content increases the attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata