youtube-tracker
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs legitimate tracking of YouTube channels. It uses the built-in Node.js fetch API to communicate with official endpoints at googleapis.com and youtube.com. No malicious behaviors, obfuscation, or unauthorized network operations were detected.- [PROMPT_INJECTION]: The skill ingests untrusted data from external sources (video titles and descriptions), which constitutes a surface for indirect prompt injection. This is an inherent risk for information retrieval skills.
- Ingestion points: Video metadata fetched via RSS and API in scripts/youtube-tracker-rss.js and scripts/youtube-tracker.js.
- Boundary markers: Absent. Output is printed as plain text.
- Capability inventory: Network access via fetch and local file system access for state persistence.
- Sanitization: Only basic length-based truncation is applied to descriptions.- [SAFE]: The skill allows users to store a YouTube API key in a local configuration file (state/config.json). This is a standard and expected mechanism for a utility of this type that requires user-provided credentials to function.
Audit Metadata