Trust Assessment
grab received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 9 findings: 4 critical, 2 high, 3 medium, and 0 low severity. Key findings include Sensitive environment variable access: $OPENAI_API_KEY, Command Injection via yt-dlp with user-controlled URL, Prompt Injection via user-controlled YouTube video title.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via yt-dlp with user-controlled URL The skill directly executes `yt-dlp` with a user-provided URL (`$url`) without sufficient sanitization. A malicious user could craft a URL containing shell metacharacters (e.g., `https://example.com; rm -rf /`) to execute arbitrary commands on the host system. Although the URL is quoted, this does not guarantee protection against all forms of shell injection or vulnerabilities within `yt-dlp`'s URL parsing. Implement strict URL validation to ensure it conforms to expected formats and does not contain shell metacharacters. Consider using a safer method for executing external commands, such as a Python `subprocess` call with `shlex.quote` for arguments, or a more robust shell escaping library if remaining in Bash. | LLM | scripts/lib/tweet.sh:29 | |
| CRITICAL | Command Injection via yt-dlp with user-controlled URL The skill directly executes `yt-dlp` with a user-provided URL (`$url`) without sufficient sanitization. A malicious user could craft a URL containing shell metacharacters (e.g., `https://example.com; rm -rf /`) to execute arbitrary commands on the host system. Although the URL is quoted, this does not guarantee protection against all forms of shell injection or vulnerabilities within `yt-dlp`'s URL parsing. Implement strict URL validation to ensure it conforms to expected formats and does not contain shell metacharacters. Consider using a safer method for executing external commands, such as a Python `subprocess` call with `shlex.quote` for arguments, or a more robust shell escaping library if remaining in Bash. | LLM | scripts/lib/tweet.sh:100 | |
| CRITICAL | Command Injection via yt-dlp with user-controlled URL The skill directly executes `yt-dlp` with a user-provided URL (`$url`) without sufficient sanitization. A malicious user could craft a URL containing shell metacharacters (e.g., `https://example.com; rm -rf /`) to execute arbitrary commands on the host system. Although the URL is quoted, this does not guarantee protection against all forms of shell injection or vulnerabilities within `yt-dlp`'s URL parsing. Implement strict URL validation to ensure it conforms to expected formats and does not contain shell metacharacters. Consider using a safer method for executing external commands, such as a Python `subprocess` call with `shlex.quote` for arguments, or a more robust shell escaping library if remaining in Bash. | LLM | scripts/lib/youtube.sh:8 | |
| CRITICAL | Command Injection via yt-dlp with user-controlled URL The skill directly executes `yt-dlp` with a user-provided URL (`$url`) without sufficient sanitization. A malicious user could craft a URL containing shell metacharacters (e.g., `https://example.com; rm -rf /`) to execute arbitrary commands on the host system. Although the URL is quoted, this does not guarantee protection against all forms of shell injection or vulnerabilities within `yt-dlp`'s URL parsing. Implement strict URL validation to ensure it conforms to expected formats and does not contain shell metacharacters. Consider using a safer method for executing external commands, such as a Python `subprocess` call with `shlex.quote` for arguments, or a more robust shell escaping library if remaining in Bash. | LLM | scripts/lib/youtube.sh:58 | |
| HIGH | Prompt Injection via user-controlled YouTube video title The `summarize_text` function constructs an LLM prompt by interpolating the `$context` variable. In `scripts/lib/youtube.sh`, the `$context` for `summarize_text` includes the YouTube video title (`"YouTube video titled '$title'"`), which is extracted from `yt-dlp` output and is user-controlled. A malicious YouTube video title could be crafted to inject instructions into the LLM prompt, potentially manipulating the LLM's behavior or leading to data exfiltration. Sanitize or strictly validate any user-controlled input before interpolating it into LLM prompts. For titles, consider using a fixed string or a heavily sanitized version that cannot contain prompt injection directives. Alternatively, pass user-controlled content as a separate user message rather than embedding it in system instructions. | LLM | scripts/lib/helpers.sh:150 | |
| HIGH | Prompt Injection via user-controlled YouTube video title The `generate_title` function constructs an LLM prompt by interpolating the `$context` variable. In `scripts/lib/youtube.sh`, the `$context` for `generate_title` (if it were called, though it's not in the provided snippet for YouTube) would include the YouTube video title (`"YouTube video titled '$title'"`), which is extracted from `yt-dlp` output and is user-controlled. A malicious YouTube video title could be crafted to inject instructions into the LLM prompt, potentially manipulating the LLM's behavior or leading to data exfiltration. Sanitize or strictly validate any user-controlled input before interpolating it into LLM prompts. For titles, consider using a fixed string or a heavily sanitized version that cannot contain prompt injection directives. Alternatively, pass user-controlled content as a separate user message rather than embedding it in system instructions. | LLM | scripts/lib/helpers.sh:200 | |
| MEDIUM | Sensitive environment variable access: $OPENAI_API_KEY Access to sensitive environment variable '$OPENAI_API_KEY' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jamesalmeida/grab/scripts/lib/helpers.sh:17 | |
| MEDIUM | Potential Command Injection via curl with API-provided URLs The skill uses `curl` to download images and thumbnails, with URLs (`$img_url`, `$thumbnail`) sourced from external APIs (Reddit, YouTube). While these APIs are generally trusted, the content they provide (the URLs themselves) is ultimately user-generated. If a malicious user uploads content with a specially crafted URL (e.g., `file:///etc/passwd` or a URL that exploits a `curl` vulnerability), it could lead to data exfiltration or other issues. The output filename is controlled, but the URL itself is not explicitly sanitized for shell metacharacters before being passed to `curl`. Validate the `$img_url` to ensure it is a legitimate HTTP/HTTPS URL and does not contain unexpected schemes or shell metacharacters. Consider using a more robust URL parsing and validation library before passing the URL to `curl`. | LLM | scripts/lib/reddit.sh:170 | |
| MEDIUM | Potential Command Injection via curl with API-provided URLs The skill uses `curl` to download images and thumbnails, with URLs (`$img_url`, `$thumbnail`) sourced from external APIs (Reddit, YouTube). While these APIs are generally trusted, the content they provide (the URLs themselves) is ultimately user-generated. If a malicious user uploads content with a specially crafted URL (e.g., `file:///etc/passwd` or a URL that exploits a `curl` vulnerability), it could lead to data exfiltration or other issues. The output filename is controlled, but the URL itself is not explicitly sanitized for shell metacharacters before being passed to `curl`. Validate the `$thumbnail` URL to ensure it is a legitimate HTTP/HTTPS URL and does not contain unexpected schemes or shell metacharacters. Consider using a more robust URL parsing and validation library before passing the URL to `curl`. | LLM | scripts/lib/youtube.sh:50 |
Scan History
Embed Code
[](https://skillshield.io/report/c6b26f746039c132)
Powered by SkillShield