The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow in 'SKILL.md' instructs the agent to execute a shell command: 'python scripts/fetch_transcript.py "<YOUTUBE_URL>"'. If the agent interpolates a malicious user-provided URL into this command without proper shell escaping, it could lead to command injection in the execution environment. While the 'fetch_transcript.py' script itself mitigates injection by using subprocess with argument lists and restrictive regex for ID extraction, the shell-based invocation pattern remains a risk surface.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). Malicious instructions could be embedded in the video audio, which 'yt-dlp' then converts into the transcript. When the agent reads the transcript to generate a summary, it might inadvertently follow those instructions.
Ingestion points: The transcript text is read from '/tmp/yt_transcript.txt' (referenced in SKILL.md Step 2).
Boundary markers: The workflow does not specify the use of delimiters or 'ignore embedded instructions' warnings when the agent processes the transcript.
Capability inventory: The skill has shell access (to run the extraction script and clean up files) and file system read/write access.
Sanitization: The 'fetch_transcript.py' script cleans technical VTT tags but does not perform any content-based sanitization or filtering for natural language instructions.

youtube-summarizer