Skills
skills/sundial-org/awesome-openclaw-skills/youtube/Snyk

youtube

Warn

Audited by Snyk on Feb 27, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The SKILL.md clearly fetches and ingests public, user-generated YouTube content (video details, descriptions, and transcripts via the YouTube Data API or yt-dlp from youtube.com) and instructs the agent to read and analyze those transcripts (e.g., "Get Transcript for Research" and "Analyze transcript for interesting topics"), so third-party content can directly influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill's setup instructs cloning, building, and running the external MCP server at https://github.com/ZubeidHendricks/youtube-mcp-server, so it requires fetching and executing remote code from that URL (runtime depends on that fetched code).
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 01:26 PM