Trust Assessment
some-other-youtube received a trust score of 30/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 4 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Missing required field: name, Suspicious import: requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/inaor/some-other-youtube/SKILL.md:33 | |
| HIGH | Arbitrary File Write via Unsanitized Output Path The script allows a user to specify an arbitrary output file path using the `--output` argument. The provided path is used directly in `open(args.output, 'w', ...)`, without any sanitization or validation. An attacker could exploit this by providing a path like `../../../../etc/passwd` or `/tmp/malicious_script.sh` to write or overwrite files in sensitive system locations, potentially leading to privilege escalation, denial of service, or remote code execution if a critical system file is overwritten with malicious content. Sanitize the output file path to ensure it is within an allowed, non-sensitive directory (e.g., a temporary directory or a user-specific output folder). Consider using `os.path.basename()` if only a filename is expected, or validate that the path does not contain directory traversal sequences (e.g., `..`) and is not an absolute path outside a designated safe area. | LLM | scripts/fetch_transcript.py:204 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/inaor/some-other-youtube/SKILL.md:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/inaor/some-other-youtube/scripts/fetch_transcript.py:24 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/inaor/some-other-youtube/SKILL.md:33 | |
| MEDIUM | API Token Transmitted in URL Query Parameters The `APIFY_API_TOKEN` is transmitted as a query parameter (`?token=...`) in API requests to Apify. While Apify's API may support this, sending sensitive credentials like API tokens in URL query parameters is generally less secure than using HTTP `Authorization` headers. Query parameters can be logged in web server access logs, proxy logs, browser history, and may be exposed in referrer headers, increasing the risk of token leakage. If the Apify API supports it, transmit the API token in an `Authorization` header (e.g., `Authorization: Bearer <token>`) instead of as a URL query parameter. Consult Apify's API documentation for the recommended method of authentication. If query parameters are the only supported method, ensure that all systems handling these URLs (e.g., web servers, proxies) are configured to redact or encrypt sensitive query parameters in logs. | LLM | scripts/fetch_transcript.py:100 |
Scan History
Embed Code
[](https://skillshield.io/report/b405d8342ad5d8bc)
Powered by SkillShield