youtube-channel-business-email

Pass

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The instructions in SKILL.md (specifically Step 1 and Step 6 of the composite lookup) suggest interpolating untrusted data—such as user-supplied channel inputs and externally-sourced links—into shell commands using single quotes (e.g., python scripts/normalize-channel-input.py '{channel-input}'). This pattern is vulnerable to command injection if the input values contain a single quote followed by shell metacharacters.
  • [EXTERNAL_DOWNLOADS]: The skill's operational flow includes fetching rendered text from arbitrary external websites (stealth-extract on link.url) discovered on YouTube channel About pages. These URLs are controlled by third-party creators and are not restricted to trusted domains, representing a broad network ingestion surface.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from the web.
  • Ingestion points: Untrusted content is fetched from external sites and saved to tmp/site.md; additional channel metadata is extracted from the ytInitialData object on YouTube pages.
  • Boundary markers: No explicit markers or instructions are provided to the agent to treat the fetched site content as data rather than instructions when processing it.
  • Capability inventory: The skill has access to browser navigation, JavaScript execution via browser-act eval, automated fetching of remote content, and local script execution.
  • Sanitization: While the extract-emails-from-text.py script uses regular expressions to filter for specific email formats (which helps prevent the direct execution of arbitrary text as commands), the initial fetch and storage of unvetted content still exposes the agent to adversarial data.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 9, 2026, 11:21 AM
Security Audit — agent-trust-hub — youtube-channel-business-email