Security Audit

youtube-instant-article

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

youtube-instant-article received a trust score of 21/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 2 critical, 1 high, 3 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: Shell RC file modification.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

86%

Dependency Graph

100%

LLM Behavioral Safety

46%

Behavioral Risk Signals

Network Access

3 findings

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/viticci/youtube-instant-article/scripts/setup.sh:62
CRITICAL	Command Injection via Unsanitized URL Argument The `scripts/generate.sh` script takes a YouTube URL as a direct argument (`$1`) and passes it to the `summarize` command within double quotes (`summarize "$URL"`). While double quotes prevent word splitting and globbing, they do not prevent command substitution (`$(...)`) or arithmetic expansion (`$((...))`) in Zsh (and Bash). An attacker could craft a malicious URL containing shell metacharacters, such as `http://example.com/video?v=$(evil_command)`, leading to arbitrary command execution on the host system when the `summarize` command is invoked. Strictly validate and sanitize the input URL to ensure it does not contain any shell metacharacters before passing it to external commands. Consider using a dedicated URL parsing library or escaping shell-specific characters if the `summarize` tool expects a literal string. Alternatively, if `summarize` is a custom tool, ensure it is robust against such injections.	LLM	scripts/generate.sh:42
HIGH	Excessive Permissions for `curl` The skill declares `Bash(curl:)` in its manifest, granting it the ability to execute `curl` with any arguments to any destination. While `curl` is used for legitimate purposes (uploading images to `catbox.moe` and interacting with the Telegraph API), this broad permission allows the skill to exfiltrate arbitrary local files or environment variables to any external server controlled by an attacker. This poses a significant data exfiltration risk. Restrict `curl` permissions to only the necessary domains and argument patterns (e.g., `Bash(curl:https://api.telegra.ph/,https://catbox.moe/*)`). If fine-grained control is not possible, thoroughly review all `curl` invocations in the skill's code to ensure they are not used for malicious purposes.	LLM	Manifest
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/viticci/youtube-instant-article/instant-article.sh:7
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/viticci/youtube-instant-article/scripts/setup.sh:62
MEDIUM	Supply Chain Risk from Third-Party Image Hosting The `scripts/generate.sh` script uploads video slides to `catbox.moe`, a third-party image hosting service. Reliance on external, untrusted services introduces a supply chain risk. If `catbox.moe` were to be compromised or become malicious, it could potentially serve harmful content, track users, or alter the uploaded images, impacting the integrity and security of the generated articles. Consider using a more controlled or self-hosted image storage solution, or a reputable cloud storage provider with strong security guarantees. If `catbox.moe` must be used, document the associated risks to users and implement checks to verify the integrity of uploaded content if possible.	LLM	scripts/generate.sh:70
LOW	Credential Exposure in Setup Script Output The `scripts/setup.sh` script explicitly prints the generated `TELEGRAPH_TOKEN` to standard output. While this is part of the setup process and intended for the user to save, it exposes the token in plain text in the console. If the output of this script is logged, captured, or viewed by unauthorized individuals, the `TELEGRAPH_TOKEN` could be compromised. Advise users to handle the token securely and avoid logging the setup script's output. Consider suggesting direct writing to a `.env` file with appropriate file permissions instead of printing to stdout, or providing a more secure method for token retrieval and storage.	LLM	scripts/setup.sh:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/655fe0194f2bcf57.svg)](https://skillshield.io/report/655fe0194f2bcf57)