youtube-channel-business-email
Pass
Audited by Gen Agent Trust Hub on Jul 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in
SKILL.md(specifically Step 1 and Step 6 of the composite lookup) suggest interpolating untrusted data—such as user-supplied channel inputs and externally-sourced links—into shell commands using single quotes (e.g.,python scripts/normalize-channel-input.py '{channel-input}'). This pattern is vulnerable to command injection if the input values contain a single quote followed by shell metacharacters. - [EXTERNAL_DOWNLOADS]: The skill's operational flow includes fetching rendered text from arbitrary external websites (
stealth-extractonlink.url) discovered on YouTube channel About pages. These URLs are controlled by third-party creators and are not restricted to trusted domains, representing a broad network ingestion surface. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from the web.
- Ingestion points: Untrusted content is fetched from external sites and saved to
tmp/site.md; additional channel metadata is extracted from theytInitialDataobject on YouTube pages. - Boundary markers: No explicit markers or instructions are provided to the agent to treat the fetched site content as data rather than instructions when processing it.
- Capability inventory: The skill has access to browser navigation, JavaScript execution via
browser-act eval, automated fetching of remote content, and local script execution. - Sanitization: While the
extract-emails-from-text.pyscript uses regular expressions to filter for specific email formats (which helps prevent the direct execution of arbitrary text as commands), the initial fetch and storage of unvetted content still exposes the agent to adversarial data.
Audit Metadata