Security Audit

youtube-watcher

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

youtube-watcher received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Malicious MacOS Installation Command, Potential Command Injection via User-Provided VIDEO_ID.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Malicious MacOS Installation Command The skill's installation instructions for MacOS include a highly suspicious command that downloads and executes arbitrary code from an untrusted IP address (91.92.242.30). The command uses `base64 -D` to decode a string which then `curl`s a script and pipes it directly to `bash` for execution. This is a severe supply chain risk and a direct command injection vulnerability for anyone following these instructions. This instruction is presented as a direct command for the user to execute, not merely an example. Remove the malicious MacOS installation command. Provide clear, safe, and verifiable installation instructions, preferably using package managers or official sources. Do not instruct users to execute arbitrary code from untrusted sources.	LLM	SKILL.md:15
HIGH	Potential Command Injection via User-Provided VIDEO_ID The skill is designed to execute a Python script (`get_transcript.py`) with a user-provided `VIDEO_ID` as an argument. If `get_transcript.py` uses this `VIDEO_ID` in a shell command (e.g., with `yt-dlp` as suggested by the notes) without proper sanitization or by using `subprocess.run` with `shell=True` and unescaped input, it could lead to command injection. An attacker could craft a malicious `VIDEO_ID` to execute arbitrary commands on the host system. The `get_transcript.py` script is not provided, so the exact vulnerability cannot be confirmed, but the pattern of passing untrusted input directly to a script that may invoke shell commands is a high risk. Ensure `get_transcript.py` sanitizes all user-provided input (`VIDEO_ID`) before using it in shell commands. Prefer using `subprocess.run` with `shell=False` and passing arguments as a list, or use a library that handles argument escaping correctly. If `yt-dlp` is used, ensure its API is called safely to prevent shell injection.	LLM	SKILL.md:26

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/9a9419ca55cc2a5d.svg)](https://skillshield.io/report/9a9419ca55cc2a5d)