Is grpaiva/youtube safe?

https://github.com/openclaw/skills/tree/main/skills/grpaiva/youtube

70
CAUTION

The grpaiva/youtube skill has a legitimate, well-scoped purpose (YouTube research and transcription) but presents meaningful security risks through its pattern of instructing the agent to download and execute unvetted third-party code at runtime. The skill requires globally installing an npm package from an unknown author and optionally cloning a GitHub repository into /tmp for execution, both without integrity verification. These patterns create a persistent supply chain attack surface, and the skill's embedded 'Security Note' contains materially false claims about its data handling that should not be trusted.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

HIGH Instructs agent to clone and execute unvetted external GitHub repo -25

The Troubleshooting section instructs the agent to clone https://github.com/ZubeidHendricks/youtube-mcp-server into /tmp, run npm install and npm run build, then execute the compiled output. This constitutes arbitrary remote code execution from an unverified third-party GitHub repository with no checksum or signature verification. If this repo is compromised or replaced, the agent executes attacker-controlled code.

HIGH Global npm install of unvetted third-party package -20

The primary setup step instructs 'npm install -g zubeid-youtube-mcp-server'. This globally installs an npm package from an author with no established trust relationship to YouTube or Google. Global npm packages run with the executing user's full permissions and have unrestricted filesystem and network access. Typosquatting or account compromise of this package would silently backdoor the agent.

MEDIUM Embedded 'Security Note' contains false claims about data handling -18

SKILL.md includes a reassuring security section asserting that no third-party servers are involved and all network calls go to googleapis.com. Both claims are false: the npm MCP package and GitHub-cloned server run as local Node.js processes with unrestricted outbound network access. This false assurance is likely to lower user guard and discourage security scrutiny of the dependency.

MEDIUM All agent YouTube operations route through unvetted external subprocess -15

Every usage pattern in SKILL.md invokes an external subprocess (node /tmp/youtube-mcp-server/dist/cli.js) for all YouTube-related tasks. The subprocess controls what data is returned to the agent context. A compromised MCP server could inject adversarial instructions into the agent's context window via manipulated API responses, transcript content, or tool output, achieving secondary prompt injection.

MEDIUM MCP server executes from world-writable /tmp with no integrity verification -5

All usage examples reference the MCP server at /tmp/youtube-mcp-server/dist/cli.js. The /tmp directory is world-writable on Linux systems. There is no hash or signature check on the built artifacts before execution. An attacker with local write access to /tmp (via another vulnerability or skill) could substitute a malicious binary at this path.

LOW API key passed as cleartext environment variable to subprocess -10

The YOUTUBE_API_KEY is passed as a cleartext environment variable to node subprocesses. On Linux, process environment variables are readable via /proc//environ by any process running as the same user. Any other skill or local process can read the API key from the process table while the MCP server is running.

LOW Persistent supply chain risk via npm and GitHub dependency -15

The skill has a hard runtime dependency on zubeid-youtube-mcp-server (npm) and ZubeidHendricks/youtube-mcp-server (GitHub). Neither originates from Google or a recognized official source. A supply chain compromise of either — via npm account takeover, malicious publish, or GitHub repo compromise — would cause the agent to execute attacker-controlled code on every YouTube-related user request without any indication to the user.

INFO Installation clone to GitHub is expected and clean 0

The skill installation performed a sparse git checkout from github.com (140.82.121.4:443), which is the documented installation mechanism for the openclaw skills registry. No unexpected outbound connections, no persistence mechanisms, and no unexpected process spawning were observed during installation.