The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill installs the 'google-api-python-client' package. This is the official Python client library for Google APIs and is a well-known, trusted dependency.
[COMMAND_EXECUTION]: The skill instructs the agent to generate a Python script from an embedded template and execute it via the shell. This process involves passing user-supplied parameters (such as video IDs, channel handles, and topics) directly into command-line arguments, which creates a surface for potential command injection if the agent does not properly escape these inputs.
[PROMPT_INJECTION]: The skill processes untrusted external data in the form of YouTube comments, which introduces a risk of indirect prompt injection.
Ingestion points: Comments are fetched from the YouTube Data API and stored in a JSON file ('comment_mine_data.json') for the agent to read.
Boundary markers: The Python script truncates comments to 500 characters, but the instructions do not require the agent to use explicit delimiters or 'ignore instructions' warnings when processing the collected data into the final report.
Capability inventory: The skill has the capability to install packages, write files, and execute shell/Python commands.
Sanitization: While the Python script uses regular expressions to sanitize output directory names and truncates comment length, it does not sanitize or filter the actual text of the comments for malicious instructions that might target the agent during report generation.

youtube-comment-miner