AgentReadyHomeAgent Listing

← yt-dlp MCP

yt-dlp MCP — agentic threat model

8.1AIVSS 8.1 · High

This agent wraps yt-dlp to download media and extract subtitles, presenting a high risk of local file write vulnerabilities, server-side request forgery (SSRF), and prompt injection via untrusted subtitle inputs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.58Factor sum 2.2/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The model is highly vulnerable to indirect prompt injection because it processes untrusted subtitle and transcript text fetched dynamically from external, user-controlled media sites.

L2 · Data Operations✓ mapped

Data operations involve fetching arbitrary remote media and writing files to local paths. There is a high risk of local path traversal, arbitrary file writes, and SSRF through malicious URLs.

L3 · Agent Frameworks✓ mapped

The agent framework exposes powerful tools (download, extract-audio, get-subtitles). Insecure tool integration could allow an attacker to pass malicious arguments to the underlying yt-dlp binary.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the deployment environment is unspecified, but if run without strict sandboxing, container isolation, or network egress controls, it could lead to host compromise or lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of logging, input validation, or guardrails to inspect the URLs being requested or the content being downloaded.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — there are no apparent authentication, authorization, or rate-limiting policies defined to restrict who can trigger downloads or where files can be written.

L7 · Agent Ecosystem✓ mapped

If integrated into a multi-agent system, a compromised yt-dlp agent could be used by other agents to exfiltrate data via outbound media requests or poison the shared workspace with malicious files.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).