中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:21 hr ago Rescan
10 /100
nate-b-jones-digest
Monitor Nate B Jones's YouTube channel, pull each new video transcript, summarize it, and distribute the digest via email, chat, and/or document.
A legitimate YouTube channel monitoring and digest skill with fully documented workflows and no hidden malicious functionality.
Skill Namenate-b-jones-digest
Duration44.2s
Enginepi
Safe to install
Approve for use. All shell operations and network calls are explicitly documented in SKILL.md. No credential harvesting or data exfiltration observed.

Findings 2 items

Severity Finding Location
Low
Capability levels not declared in frontmatter Doc Mismatch
SKILL.md frontmatter does not explicitly declare resource capability levels (filesystem, network, shell, etc.). While all operations are described in the body text, the absence of formal declarations is a minor documentation gap.
---
name: nate-b-jones-digest
description: Monitor Nate B Jones's YouTube channel...
→ Add a capabilities section to the frontmatter listing: filesystem:WRITE, network:READ, shell:WRITE, environment:READ, skill_invoke:READ
 SKILL.md:1
Info
Email address present in config Sensitive Access
[email protected] appears in config.yml. This is a legitimate subscriber email, not a credential.
- [email protected]
→ No action needed; this is expected contact info for digest delivery.
 config.yml:9
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned SKILL.md lines 60-90: writes digests, summaries, transcripts to disk
Network NONE READ ✓ Aligned SKILL.md line 46: curl to YouTube API, line 9: YouTube channel URL
Shell NONE WRITE ✓ Aligned SKILL.md lines 47-48: yt-dlp, jq; line 56: whisper CLI
Environment NONE READ ✓ Aligned SKILL.md line 61: GOG_KEYRING_PASSWORD env var for Gmail auth
Skill Invoke NONE READ ✓ Aligned SKILL.md lines 60-61: invokes 'gog' skill for Gmail/Docs
6 findings
🔗
Medium External URL 外部 URL
https://www.youtube.com/@NateBJones.
SKILL.md:9
🔗
Medium External URL 外部 URL
https://www.youtube.com/@NateBJones/videos
SKILL.md:32
🔗
Medium External URL 外部 URL
https://www.youtube.com/watch?v=$VIDEO_ID
SKILL.md:46
🔗
Medium External URL 外部 URL
https://www.youtube.com/@NateBJones
config.yml:2
🔗
Medium External URL 外部 URL
https://www.youtube.com/watch?v=QT7W_uHjqWE
logs/QT7W_uHjqWE-summary.html:19
📧
Info Email 邮箱地址
[email protected]
config.yml:9

File Tree

8 files · 36.8 KB · 884 lines
Text 3f · 665L Markdown 2f · 123L YAML 2f · 59L HTML 1f · 37L
├─ 📁 logs
│ ├─ 📄 nate-b-jones-last-video.txt Text 1L · 12 B
│ ├─ 📄 QT7W_uHjqWE-summary.html HTML 37L · 2.8 KB
│ ├─ 📝 QT7W_uHjqWE-summary.md Markdown 17L · 1.8 KB
│ ├─ 📄 QT7W_uHjqWE-summary.txt Text 19L · 1.8 KB
│ └─ 📄 QT7W_uHjqWE-transcript.txt Text 645L · 24.1 KB
├─ 📁 references
│ └─ 📋 config-example.yml YAML 31L · 894 B
├─ 📋 config.yml YAML 28L · 552 B
└─ 📝 SKILL.md Markdown 106L · 4.8 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
youtube_transcript_api * pip No Version not pinned; legitimate well-maintained library
yt-dlp * pip No Version not pinned; well-known YouTube downloader CLI
whisper * pip No Version not pinned; OpenAI's Whisper CLI

Security Positives

✓ No executable scripts present - skill is documentation-only
✓ No obfuscation, base64-encoded content, or suspicious code patterns
✓ All shell commands (yt-dlp, whisper, curl, gog) explicitly documented in SKILL.md
✓ No credential harvesting beyond GOG_KEYRING_PASSWORD for documented Gmail auth
✓ No network calls to unknown IPs - only YouTube API and documented services
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No persistence mechanisms (cron entries are optional and documented)
✓ No data exfiltration or C2 communication detected
✓ External tool dependencies (youtube_transcript_api, yt-dlp, whisper) are well-known legitimate projects
✓ Logs contain only expected output from the digest workflow