Trust Assessment
youtube-apify-transcript received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 1 critical, 0 high, 2 medium, and 2 low severity. Key findings include Persistence / self-modification instructions, Suspicious import: requests, Persistence mechanism: Shell RC file modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/robbyczgw-cla/youtube-apify-transcript/SKILL.md:34 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/robbyczgw-cla/youtube-apify-transcript/scripts/fetch_transcript.py:24 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/robbyczgw-cla/youtube-apify-transcript/SKILL.md:34 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/robbyczgw-cla/youtube-apify-transcript/package.json | |
| LOW | Unpinned Python dependency 'requests' The `scripts/fetch_transcript.py` file instructs users to `pip install requests` without specifying a version. This can lead to non-deterministic builds and potentially introduce vulnerabilities if a future version of `requests` contains a bug or a malicious update. It is best practice to pin dependencies to specific versions or version ranges. Specify a version range or exact version for the `requests` library (e.g., `pip install requests==2.28.1` or `requests>=2.28,<3`). Consider using a `requirements.txt` file for managing Python dependencies. | LLM | scripts/fetch_transcript.py:23 | |
| INFO | Discrepancy in declared repository URL The `package.json` file declares the repository as `https://github.com/robbyczgw-cla/youtube-apify-transcript.git`, which differs from the `Repository URL metadata` (`https://github.com/openclaw/skills`) provided in the analysis context. While this might be due to the skill originating from a different repository before being integrated into the `openclaw/skills` monorepo, it could indicate a potential supply chain risk if the skill's true origin or maintenance is unclear or differs from expectations. Ensure the `repository` field in `package.json` accurately reflects the skill's canonical source within the `openclaw/skills` monorepo, or clarify the relationship if it's an upstream source. | LLM | package.json:18 |
Scan History
Embed Code
[](https://skillshield.io/report/2cc0bde91d805b63)
Powered by SkillShield