Trust Assessment
yt-to-blog received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 4 critical, 5 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Command Injection via unsanitized YouTube URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/justinhartbiz/yt-to-blog/scripts/fetch_transcripts.py:50 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/justinhartbiz/yt-to-blog/scripts/fetch_transcripts.py:74 | |
| CRITICAL | Command Injection via unsanitized YouTube URL The skill constructs a shell command using a user-provided YouTube URL without proper sanitization. If the URL contains shell metacharacters (e.g., ';', '`', '$'), an attacker could inject and execute arbitrary commands on the host system. Before executing `summarize`, strictly validate and sanitize the `YOUTUBE_URL` to ensure it only contains valid URL characters and does not include shell metacharacters. Consider using `subprocess.run` with `shell=False` and passing arguments as a list to avoid shell interpretation. | LLM | SKILL.md:60 | |
| CRITICAL | Command Injection via unsanitized tweet text The skill constructs a shell command (`bird tweet`) using text that is either generated by the LLM or potentially edited by the user. If this text contains shell metacharacters, an attacker could inject and execute arbitrary commands on the host system. Before passing the tweet text to the `bird` CLI, ensure it is thoroughly sanitized to remove or escape any shell metacharacters. Using `subprocess.run` with `shell=False` and passing the tweet text as a distinct argument in a list is recommended. | LLM | SKILL.md:120 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_channel_videos'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/justinhartbiz/yt-to-blog/scripts/fetch_transcripts.py:50 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_video_metadata'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/justinhartbiz/yt-to-blog/scripts/fetch_transcripts.py:74 | |
| HIGH | Command Injection via unsanitized ffmpeg parameters The skill constructs `ffmpeg` commands by inserting values (e.g., `DETECTED_W`, `CONTENT_HEIGHT`) that are derived from external command output (`ffmpeg cropdetect` or a Python script). If these derived values are not strictly validated as numeric or properly escaped before being inserted into the shell command, a malicious output from `ffmpeg cropdetect` or a crafted Python script could lead to command injection. Implement strict validation for all parameters derived from external command output, ensuring they are numeric and within expected ranges. When constructing the `ffmpeg` command, use `subprocess.run` with `shell=False` and pass all arguments as a list to prevent shell interpretation of parameter values. | LLM | SKILL.md:206 | |
| HIGH | Credential Harvesting Risk via Substack browser automation The skill instructs the agent to 'Help the user log in with their credentials' for Substack using browser automation. By controlling the browser during the login process, the agent has direct access to the user's username and password. This creates a significant trust boundary, as a malicious agent could capture these sensitive credentials. Explicitly warn the user about the trust implications of providing credentials via browser automation. Implement strong isolation for the browser automation environment. If possible, explore alternative authentication methods (e.g., OAuth) if Substack ever provides them, to avoid direct credential handling. | LLM | SKILL.md:85 | |
| HIGH | Command Injection via unsanitized yt-dlp arguments The `fetch_transcripts.py` script uses `subprocess.run` to execute `yt-dlp` with `channel_url` or `video_id` derived from user input. Although `subprocess.run` is used with a list of arguments (safer than `shell=True`), if the `channel_url` or `video_id` can be crafted to exploit a parsing vulnerability in `yt-dlp` or break out of its argument handling, it could lead to arbitrary command execution. Strictly validate `channel_url` and `video_id` using regular expressions or other robust parsing methods to ensure they conform to expected YouTube URL/ID formats before passing them to `yt-dlp`. This minimizes the risk of unexpected argument interpretation. | LLM | scripts/fetch_transcripts.py:50 | |
| MEDIUM | Supply Chain Risk from custom Homebrew tap The skill recommends installing `summarize` and `bird` from a custom Homebrew tap (`steipete/tap`). Custom taps are not officially maintained by Homebrew and introduce a dependency on an external, potentially less vetted, repository. A compromise of this tap or its formulae could lead to the installation of malicious software. Recommend using official package sources where possible. If a custom tap is necessary, advise users to verify the source and integrity of the packages. Consider pinning specific versions of these tools to mitigate risks from future updates. | LLM | SKILL.md:30 | |
| MEDIUM | Supply Chain Risk from unpinned Python dependencies The `fetch_transcripts.py` script imports `youtube_transcript_api` but the skill does not specify how this dependency is installed or pinned to a specific version. Unpinned dependencies can lead to unexpected behavior, security vulnerabilities, or even malicious code if a new version of the library is compromised. Specify exact versions for all Python dependencies (e.g., in a `requirements.txt` file) and instruct users to install them using `pip install -r requirements.txt`. Regularly review and update these pinned versions. | LLM | scripts/fetch_transcripts.py:17 | |
| LOW | Data Exfiltration: Printing HeyGen Avatar and Voice IDs to console The `setup.sh` script prints HeyGen avatar and voice IDs to the console during the setup check. While these are not typically considered 'secrets' like API keys, they are unique identifiers for a user's assets. Exposing them in console output could inadvertently leak sensitive user-specific information if logs are shared or viewed by unauthorized parties. Consider masking or redacting these IDs in the console output, or only printing a truncated version, to reduce the risk of unintentional information disclosure. | LLM | setup.sh:120 |
Scan History
Embed Code
[](https://skillshield.io/report/4ec6dc4e5a8e6ea5)
Powered by SkillShield