The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a local Node.js script (scripts/run.js) to facilitate communication with the MCP server. This is a standard execution pattern for this type of agent extension.
[EXTERNAL_DOWNLOADS]: The skill connects to https://mcp.keyapi.ai to retrieve YouTube metadata and search results. This matches the intended functionality and targets the developer's official service domain.
[CREDENTIALS_UNSAFE]: Security best practices are followed for credential management. The skill requires a KEYAPI_TOKEN which is retrieved from the environment or a local .env file, and the setup script provides a secure way to initialize this token.
[PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks because it retrieves and processes external content from YouTube (such as channel descriptions and search results).
Ingestion points: External data enters the context through tools like get_channel_description and search_channels invoked by scripts/run.js.
Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore instructions embedded in the retrieved YouTube content.
Capability inventory: The skill has the capability to perform network requests (to KeyAPI) and write to the local file system (caching results in .keyapi-cache).
Sanitization: The skill does not appear to perform automated sanitization or filtering of the retrieved text data before passing it to the agent.

keyapi-youtube-channel-analysis