Skills
skills/iopho-team/iopho-skills/iopho-getting-videos/Gen Agent Trust Hub

iopho-getting-videos

Warn

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to build shell commands using variables like $URL and $ARGUMENTS. If these inputs are not strictly sanitized, they could be used to inject additional shell commands or modify the behavior of tools like yt-dlp, BBDown, and lux via command flags.
  • [COMMAND_EXECUTION]: The skill utilizes dynamic context injection (!command) to perform environment checks at load time. These include which commands and python3 imports to verify the presence of dependencies. These are static checks and do not incorporate user input.
  • [REMOTE_CODE_EXECUTION]: Multiple instructions use python3 -c to execute Python scripts where user-controlled variables (e.g., $URL, $AUDIO_FILE) are interpolated directly into string literals. This creates a vulnerability surface for Python code injection.
  • [DATA_EXFILTRATION]: The skill suggests using the --cookies-from-browser flag with yt-dlp. This accesses sensitive session data (cookies) from the user's local browser, which could be exposed if the agent is directed to use this feature maliciously.
  • [EXTERNAL_DOWNLOADS]: The skill directs the user to install several third-party tools and libraries from public registries, including yt-dlp, ffmpeg, BBDown, lux, you-get, youtube-transcript-api, and faster-whisper.
  • [PROMPT_INJECTION]: The skill is designed to ingest and process data from untrusted external sources, such as video metadata, subtitles, and transcripts, creating a surface for indirect prompt injection.
  • Ingestion points: Video metadata JSON (from yt-dlp --dump-json), YouTube transcripts, and subtitles.
  • Boundary markers: No specific delimiters or instructions are provided to the agent to treat this external content as untrusted data.
  • Capability inventory: The skill possesses extensive capabilities, including network access (all tools), file system writes (via download output flags), and arbitrary command execution (via shell tools).
  • Sanitization: The instructions do not include mechanisms to sanitize or validate external metadata before it is processed by the agent or Python scripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 04:33 AM