buda-youtube-to-script
Audited by Socket on Jun 13, 2026
2 alerts found:
Anomalyx2SUSPICIOUS. The core capability matches the stated purpose, but the skill increases trust exposure through runtime `yt-dlp` installation, local browser cookie access, and an unspecified Whisper backend. No clear malicious exfiltration or deceptive routing is visible, so this is not confirmed malware; it is a medium-risk media-processing skill with sensitive credential-adjacent behavior.
No clear evidence of intentional malware or backdoor logic is present in this bash wrapper. The key security concerns are (1) runtime auto-installation of yt-dlp into a persistent /agent location via unpinned pip install (supply-chain risk), and (2) optional but likely frequent access to local Chrome cookies via yt-dlp --cookies-from-browser chrome (privacy and data-access boundary). OUTDIR is user-controlled and determines where files are written, which is normal for a downloader but should be controlled in sensitive environments.