The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/youtube.ts constructs shell commands for yt-dlp using string interpolation with user-supplied variables. Functions such as ytdlpGetVideoInfo, ytdlpListChannelVideos, and ytdlpGetTranscript wrap the url or videoIdOrUrl parameter in double quotes within a template literal but do not perform any shell escaping. This allows an attacker to execute arbitrary system commands by providing a crafted string containing shell metacharacters (e.g., backticks, command separators like ;, or subshell syntax $()).
[REMOTE_CODE_EXECUTION]: The lack of input sanitization when invoking subprocesses enables arbitrary code execution on the host machine. This vulnerability can be triggered whenever the agent processes a malicious YouTube URL or ID provided by a user or fetched from an external source.
[DATA_EXFILTRATION]: The identified command injection vulnerability can be leveraged to exfiltrate sensitive data. The skill explicitly manages OAuth tokens in .claude/google-skill.local.json and credentials in ~/.config/google-skill/credentials.json. An attacker could easily craft a payload to upload these files to a remote endpoint.
[PROMPT_INJECTION]: The CHANNEL-SUMMARY.md workflow involves fetching and analyzing YouTube transcripts. Since transcripts are external, untrusted content, they represent a surface for indirect prompt injection. The skill lacks boundary markers or sanitization logic to prevent malicious instructions embedded in a video's subtitles from overriding the agent's intended behavior during the summarization process (Category 8).

youtube