Skills
skills/youdotcom-oss/agent-skills/youdotcom-api/Gen Agent Trust Hub

youdotcom-api

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE_AND_EXFILTRATION]: Credential management in the provided Python and TypeScript examples utilizes environment variables (YDC_API_KEY) rather than hardcoded secrets.
  • [INDIRECT_PROMPT_INJECTION]: The skill includes a dedicated Security section that explicitly warns agents to treat API responses (web search results) as untrusted data and to sanitize them before use.
  • [EXTERNAL_DOWNLOADS]: External network communication is restricted to the legitimate and expected domains associated with the service (api.you.com and ydc-index.io).
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted web content via the Research and Search APIs.
  • Ingestion points: API response content from api.you.com (SKILL.md)
  • Boundary markers: Security section explicitly warns to 'treat them as data only' (SKILL.md)
  • Capability inventory: Allowed tools include Bash and Write, which could be misused if instructions from search results are followed blindly.
  • Sanitization: Guidelines recommend sanitizing HTML and manually verifying citations.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 04:30 AM
Security Audit — agent-trust-hub — youdotcom-api