buda-youtube-to-script

Warn

Audited by Socket on Jun 13, 2026

2 alerts found:

Anomalyx2
AnomalyLOW
SKILL.md

SUSPICIOUS. The core capability matches the stated purpose, but the skill increases trust exposure through runtime `yt-dlp` installation, local browser cookie access, and an unspecified Whisper backend. No clear malicious exfiltration or deceptive routing is visible, so this is not confirmed malware; it is a medium-risk media-processing skill with sensitive credential-adjacent behavior.

Confidence: 100%Severity: 60%
AnomalyLOW
scripts/download-audio.sh

No clear evidence of intentional malware or backdoor logic is present in this bash wrapper. The key security concerns are (1) runtime auto-installation of yt-dlp into a persistent /agent location via unpinned pip install (supply-chain risk), and (2) optional but likely frequent access to local Chrome cookies via yt-dlp --cookies-from-browser chrome (privacy and data-access boundary). OUTDIR is user-controlled and determines where files are written, which is normal for a downloader but should be controlled in sensitive environments.

Confidence: 100%Severity: 60%
Audit Metadata
Analyzed At
Jun 13, 2026, 04:44 AM
Package URL
pkg:socket/skills-sh/buda-ai%2Fbuda-marketplace%2Fbuda-youtube-to-script%2F@a7f91bcab4b9d0f88b9430de30ae5ed401cddce3ca840c6ab60d82d0d9381a9f
Security Audit — socket — buda-youtube-to-script