watch
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
watch.pyscript executes local binaries includingyt-dlp,ffmpeg, andffprobe. These executions are performed securely using thesubprocessmodule with command arguments passed as a list, which prevents shell injection. Additionally, external inputs like URLs are passed after the--separator to prevent flag injection attacks. - [PROMPT_INJECTION]: As the skill is designed to ingest and process untrusted external data (video transcripts, titles, and descriptions), it is susceptible to indirect prompt injection. However, the script mitigates this risk by encapsulating external content within Markdown code blocks and headers, providing structural boundaries for the AI agent.
- Ingestion points: YouTube metadata (titles, descriptions) and transcript segments (captions or Whisper output) fetched via
yt-dlpand thewatch.pyscript. - Boundary markers: Transcripts are presented within triple-backtick code blocks (```) and clearly labeled with Markdown headers.
- Capability inventory: The agent has the ability to execute the
watch.pyscript and read local files (frames) generated by it. - Sanitization: The script performs text cleaning on subtitle files, such as removing VTT tags and rolling duplicates, but does not perform content-based filtering of the transcript text.
Audit Metadata