youtube
Fail
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The documentation in
references/transcripts.mdrecommends usingsudo apt installfor dependency management on Linux, which involves privilege escalation. - [COMMAND_EXECUTION]: The skill heavily relies on executing shell commands and external CLI tools (
yt-dlp,eyeD3,whisper) via subprocess calls in both Bash and Ruby. - [EXTERNAL_DOWNLOADS]: The skill fetches and installs multiple external packages and libraries from PyPI, Homebrew, and APT. It also uses
bundler/inlineinscripts/ytmp3to dynamically install Ruby gems (thor,gum) from RubyGems at runtime. - [EXTERNAL_DOWNLOADS]: The
ytmp3script usescurlto download content from arbitrary user-provided URLs. - [PROMPT_INJECTION]: The workflow examples in
references/transcripts.mddemonstrate insecure interpolation of shell-derived variables into Python command strings, creating a vulnerability to indirect prompt injection via malicious YouTube metadata. - Ingestion points: Video titles and subtitle filenames extracted via
yt-dlpinreferences/transcripts.mdandscripts/ytmp3. - Boundary markers: Absent; untrusted data is directly embedded into shell and Python strings.
- Capability inventory: Extensive system access including file manipulation (
rm,mv,mkdir), network requests (curl,yt-dlp), and shell execution (python3 -c,bash). - Sanitization: Relies on basic
trcommands which do not fully sanitize against sophisticated injection attacks.
Recommendations
- AI detected serious security threats
Audit Metadata