Skills
skills/xdrshjr/jr-openclaw-skills/video-transcript-downloader/Gen Agent Trust Hub

video-transcript-downloader

Pass

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (LOW): The skill documentation indicates it runs a local script ./scripts/vtd.js which executes yt-dlp and ffmpeg to process media. This is the primary function of the skill but involves executing external binaries.
  • [EXTERNAL_DOWNLOADS] (LOW): The skill installs the youtube-transcript-plus package from NPM and fetches media/data from external URLs like YouTube.
  • [PROMPT_INJECTION] (LOW): There is a risk of indirect prompt injection (Category 8) because the skill processes video transcripts from untrusted sources which could contain malicious instructions designed to influence the agent. 1. Ingestion points: Video transcripts via youtube-transcript-plus and yt-dlp. 2. Boundary markers: None documented. 3. Capability inventory: Command execution via yt-dlp/ffmpeg and file system writes. 4. Sanitization: No evidence of filtering for fetched transcript text.
  • [NO_CODE] (SAFE): The implementation script ./scripts/vtd.js is referenced in the documentation but not provided for analysis; the verdict is based on the documented behavior and metadata.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 19, 2026, 03:56 PM