Skills
skills/sundial-org/awesome-openclaw-skills/youtube-summarizer/Gen Agent Trust Hub

youtube-summarizer

Fail

Audited by Gen Agent Trust Hub on Feb 25, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The workflow in SKILL.md (Step 2) instructs the agent to execute a shell command that interpolates a VIDEO_ID directly into a node -e execution string. A malicious user could provide a crafted URL or ID containing shell metacharacters (e.g., ;, &, |) to execute arbitrary commands on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill's README.md and package.json define a mandatory dependency on an external repository (https://github.com/kimtaeyoon83/mcp-server-youtube-transcript.git). This source is an untrusted individual account not associated with the vendor 'sundial-org' or any trusted organizations. The installation process involves cloning, installing dependencies, and building this external code.
  • [REMOTE_CODE_EXECUTION]: By combining the download of untrusted external code with instructions to execute it via node (using dynamic scripts via -e), the skill creates a clear path for remote code execution. Any compromise of the third-party repository would result in a compromise of the agent's host environment.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It ingests untrusted data from YouTube transcripts and metadata to generate summaries.
  • Ingestion points: Transcript lines (result.lines) and video metadata (title, author).
  • Boundary markers: Absent. The summary template does not use delimiters to isolate untrusted content from instructions.
  • Capability inventory: The skill possesses the ability to execute shell commands (node -e), write files to /root/clawd/transcripts/, and send files via Telegram.
  • Sanitization: No sanitization or filtering of the transcript content is performed before processing or summary generation.
  • [PRIVILEGE_CONCERNS]: The skill documentation repeatedly references installation and operation within the /root/ directory (e.g., /root/clawd/transcripts/). Running the agent or its skills as the root user significantly escalates the impact of the aforementioned command injection and RCE vulnerabilities.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 25, 2026, 10:17 PM