Is abe238/youtube-summarizer safe?
https://github.com/openclaw/skills/tree/main/skills/abe238/youtube-summarizer
The youtube-summarizer skill contains a critical shell injection vulnerability where user-supplied video IDs are embedded directly into bash-executed shell commands without sanitization, enabling arbitrary code execution via crafted YouTube URLs. It also unconditionally exfiltrates full video transcripts to Telegram without per-invocation user consent and requires installing an unreviewed third-party npm dependency that executes arbitrary code at build time. While the clone behavior was clean and canary files were not compromised, the skill's runtime attack surface—compounded by its assumption of root-level execution—makes it unsuitable for installation without thorough review and hardening.
Category Scores
Findings (10)
CRITICAL Shell injection via user-controlled video ID in bash command -40 ▶
The SKILL.md instructs the agent to extract a video ID from user-supplied input and substitute it directly into a bash-executed node --input-type=module -e command. No sanitization, allowlist validation, or quoting guidance is specified. An attacker who sends a crafted YouTube-like URL can cause the extracted 'ID' to contain shell metacharacters or quote-breaking sequences. When the agent constructs and executes the bash command, arbitrary shell code runs on the host under the agent's privileges.
HIGH Full transcript unconditionally auto-sent to Telegram -30 ▶
In any Telegram context the skill automatically attaches the complete video transcript file and sends it to the current chat without user confirmation. Every video the user shares results in its full text being forwarded to Telegram—a third-party platform. If the CHAT_ID is attacker-influenced (e.g., via a concurrent skill or social engineering), this becomes a reliable covert exfiltration channel. Even in legitimate use, this sends potentially sensitive viewing content to an external service without explicit consent at each invocation.
HIGH Unreviewed third-party npm dependency cloned and built at install -20 ▶
The skill declares a required external dependency from a third-party GitHub account (kimtaeyoon83/mcp-server-youtube-transcript) and instructs installing it via git clone, npm install, and npm run build. This grants the package and all its transitive npm dependencies—none of which are audited as part of this skill—arbitrary code execution at install time (via lifecycle scripts) and at every invocation thereafter. A malicious update to the upstream package would silently compromise any host running this skill.
HIGH User-supplied input injected into shell command without sanitization -25 ▶
The skill workflow explicitly directs the agent to extract a video ID from user input and substitute it into a shell command. The extraction heuristic (matching URL patterns or 11-character IDs) is not specified to validate characters, enforce an allowlist, or quote the result. Sending a URL containing a sequence like dQw4w9WgXcQ'; malicious_command; echo ' would cause the extracted ID to break the node command string and execute the injected command.
MEDIUM Persistent logging of all viewed video transcripts -15 ▶
Every video processed by this skill has its full transcript permanently saved to /root/clawd/transcripts/YYYY-MM-DD_VIDEO_ID.txt. This creates a growing, filesystem-accessible record of the user's complete YouTube viewing history. Any other process, skill, or attacker with access to this directory can reconstruct the user's viewing habits and the full content of every video they have shared with the agent.
MEDIUM Skill assumes and requires root-level execution -40 ▶
Every path referenced in the skill is under /root/clawd/—the root user's home directory. The skill cannot function without root privileges. This means any shell injection or dependency compromise in the skill immediately grants an attacker root access to the host. The skill also requires writing to /root/clawd/transcripts/ and executing binaries under /root/clawd/mcp-server-youtube-transcript/, all of which are root-owned.
MEDIUM Explicit bypass of YouTube bot-detection via Android client emulation -20 ▶
The skill documents using Android client emulation specifically to circumvent YouTube's cloud IP blocking and bot-detection systems. This violates YouTube's Terms of Service and demonstrates the skill is designed to evade platform security controls. The same circumvention technique and infrastructure could be extended to bypass other rate limits or security measures.
MEDIUM Broad auto-activation trigger on YouTube URL patterns -15 ▶
The skill activates automatically whenever the agent sees any YouTube URL in a user message. This wide trigger surface means an attacker who crafts a message containing a pseudo-YouTube URL (e.g., embedded in otherwise unrelated content) can silently invoke the skill, causing the agent to execute shell commands with the attacker-controlled string as the 'video ID'.
LOW Intermediate transcript data written to world-writable /tmp path -2 ▶
The node command redirects its JSON output to /tmp/yt-transcript.json, a world-writable directory. In environments with other running processes or users, a race condition could allow a malicious process to replace this file with crafted JSON before the agent reads it, poisoning the data pipeline and potentially influencing the agent's subsequent behavior or summary output.
INFO Credential files accessed during audit (attributed to audit framework) -10 ▶
Filesystem monitoring recorded read-only opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 08:46:47—approximately 5 seconds before the git clone began at 08:46:52. This timing and the CLOSE_NOWRITE disposition strongly indicate these accesses were performed by the oathe audit framework establishing and reading canary baselines, not by the skill under test. All canary files are confirmed intact with no modifications.