youtube-content-creator

Warn

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill generates a Node.js script at runtime and executes it using the node -e command to create a PDF document. The logic and data within this script are derived from the concepts.md and script-outline.md files. This creates a potential surface for code injection if the data processed by the agent is not correctly sanitized before being embedded into the script.\n- [COMMAND_EXECUTION]: The skill uses shell commands to manage environment dependencies and perform file processing tasks. This includes using npm install to dynamically acquire libraries and using the node binary to execute generated script content.\n- [EXTERNAL_DOWNLOADS]: During the PDF generation phase, the skill attempts to install the sharp and pdfkit packages from the NPM registry. While these are well-known and standard libraries for image and PDF processing, the practice of downloading and installing dependencies at runtime is a noteworthy security pattern.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 20, 2026, 03:23 PM
Security Audit — agent-trust-hub — youtube-content-creator