skills/steipete/agent-scripts/video-transcript-downloader/Snyk

video-transcript-downloader

Warn

Audited by Snyk on May 15, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill's runtime (scripts/vtd.js) explicitly fetches transcripts/subtitles from public, user-generated video sources—using YoutubeTranscript.fetchTranscript for YouTube IDs and yt-dlp to download subtitles from arbitrary URLs—so untrusted third‑party content is ingested and parsed as part of the transcript workflow (SKILL.md + scripts/vtd.js).

Issues (1)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata

Risk Level

MEDIUM

Analyzed

May 15, 2026, 07:22 AM

Issues

1

Security Audit — snyk — video-transcript-downloader