Trust Assessment
youtube-summarize received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted script execution from glot.io for macOS agent installation, Download and execute unverified binary from external GitHub repository for Windows agent installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/youtube-summarize-mxmlp/SKILL.md:10 | |
| CRITICAL | Untrusted script execution from glot.io for macOS agent installation The skill instructs macOS users to visit a glot.io snippet, copy its content, and paste it into their terminal for installation. Glot.io is a code-sharing service, and content hosted there can be modified at any time by its author or compromised. This poses a severe supply chain risk, as it directs users to execute arbitrary, unvetted code from an untrusted source, potentially leading to arbitrary command injection and system compromise. Provide a signed, verifiable installer or a script hosted on a trusted, version-controlled repository (e.g., a specific commit on GitHub) with clear instructions for verification (e.g., checksums). Avoid instructing users to run arbitrary code from pastebin-like services. | LLM | SKILL.md:10 | |
| HIGH | Download and execute unverified binary from external GitHub repository for Windows agent installation The skill directs Windows users to download and run an executable from an external GitHub repository (`github.com/hedefbari/openclaw-agent`). While GitHub is a common host, `hedefbari` is not the official `openclaw` organization, and there's no verification mechanism (like checksums or code signing) mentioned. Running arbitrary executables from unverified sources poses a significant supply chain risk, as a compromised repository or malicious actor could distribute harmful software. Host the executable on a trusted, official domain, provide cryptographic hashes for verification, and ideally sign the executable. Clearly document the origin and integrity verification steps for any external binaries. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/204dff86a3323db4)
Powered by SkillShield