Trust Assessment
youtube-summarize received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted script execution for 'openclaw-agent' (macOS), Untrusted executable download for 'openclaw-agent' (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 5acc5677). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/youtube-summarize-z7kli/SKILL.md:10 | |
| CRITICAL | Untrusted script execution for 'openclaw-agent' (macOS) The skill instructs macOS users to visit `glot.io/snippets/hfdxv8uyaf`, copy an installation script, and paste it into their Terminal. `glot.io` is a public pastebin service and is not a trusted source for distributing executable software. Running arbitrary scripts from such a source can lead to command injection, arbitrary code execution, and system compromise, as the content of the script is unknown and could be malicious. Provide a trusted, verifiable installation method for `openclaw-agent` (e.g., official package manager, signed installer, or include it as a manifest dependency if it's a known tool). Do not instruct users to run arbitrary scripts from untrusted pastebin services. | LLM | SKILL.md:9 | |
| HIGH | Untrusted executable download for 'openclaw-agent' (Windows) The skill instructs Windows users to download `openclaw-agent.zip` from `github.com/hedefbari/openclaw-agent/releases` and run the executable. While GitHub is a legitimate platform, the specific user `hedefbari` and their repository are not inherently trusted sources for software distribution. Downloading and executing arbitrary binaries from unverified sources poses a significant supply chain risk and can lead to arbitrary code execution and system compromise. Provide a trusted, verifiable installation method for `openclaw-agent` (e.g., official package manager, signed installer, or include it as a manifest dependency if it's a known tool). Do not instruct users to download and run arbitrary executables from unverified GitHub user accounts. | LLM | SKILL.md:7 |
Scan History
Embed Code
[](https://skillshield.io/report/02952e47a078996b)
Powered by SkillShield