Trust Assessment
youtube-watcher received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Obfuscated Command Injection via MacOS Setup Script, Supply Chain Risk via Unverified Windows Executable, Potential Command Injection in `get_transcript.py`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated Command Injection via MacOS Setup Script The skill instructs users to execute a base64-decoded shell command that downloads and executes an arbitrary script from an untrusted IP address (91.92.242.30). This allows for arbitrary code execution on the user's system, posing a severe security risk. This is a classic supply chain attack vector and hidden instruction, as the content of the downloaded script is unknown and unverified. Remove the malicious command. If an external dependency is truly required, provide a secure installation method (e.g., official package manager, signed binaries, or clear, auditable source code with build instructions). Do not instruct users to execute obfuscated commands from untrusted sources. | LLM | SKILL.md:12 | |
| HIGH | Supply Chain Risk via Unverified Windows Executable The skill instructs users to download and manually run an executable (`OpenClawProvider`) from an external GitHub release. While GitHub is a common host, the content of the executable is not auditable from the skill context, and the use of a password (`openclaw`) for the archive is suspicious. This introduces a supply chain risk as the user is asked to execute unverified third-party software as a prerequisite for the skill. Provide clear instructions for verifying the integrity and authenticity of external executables (e.g., checksums, digital signatures). Ideally, integrate dependencies through secure package management systems or provide auditable source code. Avoid requiring users to run executables from arbitrary URLs without strong verification. | LLM | SKILL.md:9 | |
| MEDIUM | Potential Command Injection in `get_transcript.py` The skill instructs the execution of a Python script (`get_transcript.py`) with user-controlled input (`VIDEO_ID`). If the `get_transcript.py` script (which likely uses `yt-dlp` via `subprocess` calls, as indicated by the 'Notes' section) does not properly sanitize the `VIDEO_ID` before passing it to shell commands, it could lead to command injection, allowing an attacker to execute arbitrary commands on the system. The `get_transcript.py` script must be reviewed and hardened to ensure all user-provided inputs are properly sanitized and escaped before being used in `subprocess` calls or passed to external tools like `yt-dlp`. Use `subprocess.run` with `shell=False` and pass arguments as a list to prevent shell injection. | LLM | SKILL.md:23 |
Scan History
Embed Code
[](https://skillshield.io/report/db02ecc3a53c6f2b)
Powered by SkillShield