youtube-summarizer
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill mandates downloading software from an unverified personal GitHub account ('kimtaeyoon83/mcp-server-youtube-transcript.git') rather than an official or trusted repository, which is a major security risk.
- [REMOTE_CODE_EXECUTION]: The setup workflow instructs the agent to clone an external repository and execute 'npm install' and 'npm run build', which can trigger arbitrary code execution through package scripts during the installation phase.
- [COMMAND_EXECUTION]: The skill relies on shell commands to manage files and fetch data, including a dynamic 'node -e' evaluation that imports and executes code from the downloaded external repository.
- [PRIVILEGE_ESCALATION]: Hardcoded paths to the '/root/' directory (e.g., '/root/thinkfleet/...') suggest the skill expects to run with elevated privileges, which is dangerous for an automated agent.
- [DATA_EXFILTRATION]: Local transcripts are transmitted to an external messaging platform (Telegram). While this is a core feature, it involves sending system data to non-whitelisted external destinations.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted YouTube transcripts without sanitization.
- Ingestion points: Video transcripts enter the agent context via the MCP server output (SKILL.md).
- Boundary markers: No delimiters or 'ignore instructions' warnings are used to separate transcript data from instructions.
- Capability inventory: The agent has shell access and can send data externally via the 'message' tool (SKILL.md).
- Sanitization: No validation or filtering is performed on the transcript content before it is processed or summarized.
Recommendations
- AI detected serious security threats
Audit Metadata