baoyu-youtube-transcript

This module primarily performs YouTube transcript/metadata retrieval. It does not show clear in-module malware behaviors (no backdoor/exfiltration/persistence evident). However, it materially increases security risk by (1) executing external binaries (yt-dlp/uvx/python) via spawnSync and parsing their output, (2) optionally passing local browser cookie access to that tool through an environment variable, and (3) writing remote content to an arbitrary caller-provided outputPath without visible validation. These are important supply-chain/execution and filesystem-safety concerns that should be reviewed at integration time (PATH/tool trust, environment handling, and outputPath confinement).