podcast-workflow
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Direct shell command injection vulnerability. In Step 1, the skill executes
python3 .../get_transcript.py "YOUTUBE_URL". Since theYOUTUBE_URLis provided by the user and interpolated directly into the command string, an attacker could provide a malicious string (e.g.,"; touch /tmp/pwned; #) to execute arbitrary system commands. - [COMMAND_EXECUTION]: Use of absolute, hardcoded filesystem paths for execution. The skill references scripts and directories located in
/Users/ugreen/.claude/skills/and/Users/ugreen/Documents/obsidian/. This assumes a specific user environment and bypasses standard application scoping, potentially leading to unauthorized file access or execution if the environment is misconfigured. - [PROMPT_INJECTION]: Susceptibility to indirect prompt injection. The workflow ingests external data from YouTube transcripts (Step 1) and processes it via the
content-digestskill. There are no boundary markers or instructions to ignore embedded commands within the transcript, allowing malicious content in the video transcript to potentially manipulate the agent's summarization or output behavior. - Ingestion points: YouTube transcripts retrieved via
get_transcript.py(Step 1). - Boundary markers: Absent; the content is processed directly.
- Capability inventory: Subprocess execution (
python3), local filesystem writes (Step 4), and network operations via the Feishu API script (Step 5). - Sanitization: Absent; the skill does not specify any validation for the retrieved transcript content.
- [DATA_EXFILTRATION]: Hardcoded identifiers. The skill contains a hardcoded Feishu Wiki parent token (
TOSJwKzxTiFdiRk0aducHNBFntg). While typically used as a location identifier, hardcoding such tokens in skill instructions is a poor security practice that exposes the target storage location.
Audit Metadata