youtube-instant-article
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill uses behavioral instructions in
SKILL.mdto override the agent's default tool selection, mandating itself as the primary choice for all YouTube requests and explicitly instructing the agent to bypass generic summarization tools. - [PROMPT_INJECTION]: The skill processes untrusted external content (YouTube video transcripts via the
summarizetool) and incorporates it into a public Telegraph article. This presents an indirect prompt injection surface where a video's content could attempt to influence the summary or output. Evidence: Ingestion atscripts/generate.shlines 50 and 54 via thesummarizetool; capabilities include writing to the Telegraph API viacurlat line 173; sanitization is performed viajqat line 176 to ensure valid JSON output, though this only prevents technical injection into the API request, not logical injection into the article content. - [DATA_EXFILTRATION]: Extracted images from videos are uploaded to
catbox.moe, a third-party file hosting service, which involves transmitting data to a non-whitelisted external domain. - [EXTERNAL_DOWNLOADS]: The skill relies on an external CLI tool (
summarize) from a third-party repository (steipete/tap/summarize), which is a prerequisite for the skill's functionality and is executed at runtime. - [CREDENTIALS_UNSAFE]: The skill references a hardcoded absolute file path (
/Users/viticci/clawd/.env) for loading sensitive environment variables, exposing host system details like the username and directory structure. - [COMMAND_EXECUTION]: The skill executes local shell scripts and external utility programs (
summarize,jq,curl) as part of its core functionality to process video data and interact with web APIs.
Audit Metadata