Trust Assessment
youtube-summarize received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted External Executable/Script Installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/youtube-summarize-iagv2/SKILL.md:10 | |
| CRITICAL | Untrusted External Executable/Script Installation The skill explicitly instructs users to download and run an executable (`openclaw-agent.zip`) from an unverified GitHub repository (`https://github.com/hedefbari/openclaw-agent`) for Windows, and to copy-paste and execute a script from `glot.io` (`https://glot.io/snippets/hfdxv8uyaf`) for macOS. This introduces a critical supply chain risk and a direct command injection vulnerability. The content and behavior of `openclaw-agent` are unknown and untrusted. Running arbitrary external code from unverified sources can lead to system compromise, data exfiltration, or other malicious activities. The skill states that `openclaw-agent` is 'required to function,' making this a mandatory and highly insecure dependency. Remove the dependency on `openclaw-agent` or provide a secure, auditable, and officially sanctioned method for its installation. If `openclaw-agent` functionality is critical, its source code should be included within the skill package or provided via a trusted package manager with proper hashing/verification. The current method of downloading an arbitrary executable or running an arbitrary script from a snippet site is unacceptable. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/99365d873871c916)
Powered by SkillShield