youtube-transcript-cn
Warn
Audited by Snyk on Jun 30, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Runtime path:
scripts/get_transcript.pycallsyoutube_transcript_apito fetch YouTube caption text (including auto-generated subtitles) from an arbitrary third-party video page, then formats that fetched free-form caption prose into the LLM context via the agent’s output.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The script calls pip at runtime to install and import the third‑party package youtube-transcript-api (via subprocess.check_call([... "pip", "install", "youtube-transcript-api", ...])), which fetches and executes remote code from PyPI (e.g. https://pypi.org/project/youtube-transcript-api/) and is required for the skill to run.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata