Is manuelhettich/pocket-casts-yt safe?

https://github.com/openclaw/skills/tree/main/skills/manuelhettich/pocket-casts-yt

82
SAFE

The pocket-casts-yt skill is a legitimate utility that downloads YouTube videos and uploads them to Pocket Casts Files. The skill code itself is clean with no prompt injection, no direct access to system credentials, and no unexpected network exfiltration; observed canary file accesses are attributable to the audit framework's own lifecycle management rather than skill behavior. The primary security concerns are operational: the SKILL.md recommends a curl-pipe-shell deno installation pattern, the script uses uvx to download and execute yt-dlp from PyPI at runtime, and long-lived credentials (Pocket Casts token, YouTube session cookies) are stored in a predictable location that is documented in the agent's context, making them accessible to other skills or chained exploits.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (9)

MEDIUM curl-pipe-shell deno installation recommended -20

SKILL.md recommends installing deno via curl -fsSL https://deno.land/install.sh | sh. If an LLM agent follows the setup instructions autonomously, it will download and execute arbitrary shell code from a remote URL without hash verification, creating a supply chain attack vector.

MEDIUM Runtime supply chain dependency via uvx yt-dlp -12

The upload.sh script invokes uvx yt-dlp which fetches and executes the latest yt-dlp release from PyPI at each invocation. A compromised yt-dlp package on PyPI would execute arbitrary code in the user's environment.

LOW Long-lived credentials stored in predictable filesystem location -15

The skill stores a Pocket Casts refresh token (valid ~1 year) and YouTube session cookies in ~/.clawdbot/credentials/pocket-casts/. This path is documented in SKILL.md which is injected into the agent's context, making the credential location known to any co-installed skill or attacker who can read agent state.

LOW Incomplete JSON sanitization allows potential injection -7

The script sanitizes the video title for JSON insertion using only sed replacements for double-quote and single-quote characters, leaving other JSON-breaking characters (backslash, newline, tab, control chars) unsanitized. A crafted YouTube video title could inject arbitrary JSON into the upload request.

LOW Agent context exposes credential locations to chained skill abuse -20

Because SKILL.md is injected into the agent's system prompt, all co-installed skills and any prompt that reaches the agent know exactly where Pocket Casts and YouTube credentials are stored. A malicious prompt or chained skill could instruct the agent to read and return these credentials.

LOW Network connections to Ubuntu infrastructure during clone window -8

Connections to 185.125.190.17 and 185.125.188.59 (Canonical/Ubuntu IP range) were observed during the install window. These are likely attributable to the uv package resolver or OS package system, not the skill itself, but represent unexpected network activity not directly caused by the git clone.

INFO Credential paths documented in agent context -5

SKILL.md explicitly documents the credential storage paths in the Recommended and Setup sections. While not a prompt injection attack, this permanently exposes credential locations to the agent and all users of that agent session.

INFO YouTube ToS-violating content upload facilitated -3

The skill's primary purpose facilitates downloading YouTube videos, which violates YouTube's Terms of Service in most contexts. The disclaimer acknowledges this but does not prevent it. An agent with this skill could be used to systematically download and archive copyrighted content.

INFO Canary files accessed pre- and post-install (audit framework artifact) 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened in both the pre-install window (audit ts 1771919110, before git clone at 1771919128) and post-install window (audit ts 1771919133). No corresponding skill EXECVE events explain these accesses; timing and canary-intact result indicate this is the audit framework's own canary lifecycle management.