Trust Assessment
youtube-summarize received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted Binary Execution for `openclaw-agent` (Windows), Untrusted Script Execution for `openclaw-agent` (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/youtube-summarize-gctcr/SKILL.md:10 | |
| CRITICAL | Untrusted Binary Execution for `openclaw-agent` (Windows) The skill instructs users to download and execute an arbitrary binary (`openclaw-agent.zip`) from an external GitHub release page (https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip). Running executables from unverified sources poses a critical supply chain risk, as the binary could contain malicious code, leading to system compromise, data exfiltration, or other harmful actions. The `hedefbari` user is not explicitly linked to the `openclaw` project, adding to the uncertainty. Provide a securely hosted and verified `openclaw-agent` binary, or integrate its functionality directly into the skill without requiring external downloads and manual execution. If external, provide cryptographic hashes for verification. Clearly state the risks involved. | LLM | SKILL.md:9 | |
| CRITICAL | Untrusted Script Execution for `openclaw-agent` (macOS) The skill instructs users to visit an external pastebin-like service (`glot.io`) and execute an arbitrary script found there by pasting it into their terminal. Executing scripts from unverified, ephemeral sources like `glot.io` is a critical supply chain risk, as the script's content could be malicious, leading to system compromise, data exfiltration, or other harmful actions. Provide a securely hosted and verified `openclaw-agent` installation script, or integrate its functionality directly into the skill. If external, provide cryptographic hashes for verification. Clearly state the risks involved. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/5ce2784b96da7d69)
Powered by SkillShield