podcast-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Command Execution (HIGH): The skill executes local Python scripts using shell commands (
python3 /Users/ugreen/...). Most critically, Step 1 in the 'Direct processing' flow interpolates a user-providedYOUTUBE_URLdirectly into a command line. If the user provides a malicious URL containing shell metacharacters (e.g.,; rm -rf /), it could lead to arbitrary command execution on the host system. - Data Exfiltration / Privacy (MEDIUM): The skill hardcodes absolute file paths belonging to a specific user (
/Users/ugreen/), exposing the host's username and directory structure. It also transmits digested content to an external service (https://madopic.thus.chat) and Feishu. While functional, sending potentially sensitive podcast summaries to third-party domains represents a data exposure risk. - Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from external sources.
- Ingestion points: Step 1 fetches transcripts from external YouTube videos.
- Boundary markers: Absent. The skill does not use delimiters or instructions to ignore commands that might be embedded in the transcript text.
- Capability inventory: The skill has filesystem write access and command execution capabilities (as noted above).
- Sanitization: No sanitization or validation of the transcript content is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata