podcast-workflow

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Direct shell command injection vulnerability. In Step 1, the skill executes python3 .../get_transcript.py "YOUTUBE_URL". Since the YOUTUBE_URL is provided by the user and interpolated directly into the command string, an attacker could provide a malicious string (e.g., "; touch /tmp/pwned; #) to execute arbitrary system commands.
  • [COMMAND_EXECUTION]: Use of absolute, hardcoded filesystem paths for execution. The skill references scripts and directories located in /Users/ugreen/.claude/skills/ and /Users/ugreen/Documents/obsidian/. This assumes a specific user environment and bypasses standard application scoping, potentially leading to unauthorized file access or execution if the environment is misconfigured.
  • [PROMPT_INJECTION]: Susceptibility to indirect prompt injection. The workflow ingests external data from YouTube transcripts (Step 1) and processes it via the content-digest skill. There are no boundary markers or instructions to ignore embedded commands within the transcript, allowing malicious content in the video transcript to potentially manipulate the agent's summarization or output behavior.
  • Ingestion points: YouTube transcripts retrieved via get_transcript.py (Step 1).
  • Boundary markers: Absent; the content is processed directly.
  • Capability inventory: Subprocess execution (python3), local filesystem writes (Step 4), and network operations via the Feishu API script (Step 5).
  • Sanitization: Absent; the skill does not specify any validation for the retrieved transcript content.
  • [DATA_EXFILTRATION]: Hardcoded identifiers. The skill contains a hardcoded Feishu Wiki parent token (TOSJwKzxTiFdiRk0aducHNBFntg). While typically used as a location identifier, hardcoding such tokens in skill instructions is a poor security practice that exposes the target storage location.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 09:24 AM
Security Audit — agent-trust-hub — podcast-workflow