yt-dlp MCP — agentic threat model
This agent wraps yt-dlp to download media and extract subtitles, presenting a high risk of local file write vulnerabilities, server-side request forgery (SSRF), and prompt injection via untrusted subtitle inputs.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
The model is highly vulnerable to indirect prompt injection because it processes untrusted subtitle and transcript text fetched dynamically from external, user-controlled media sites.
Data operations involve fetching arbitrary remote media and writing files to local paths. There is a high risk of local path traversal, arbitrary file writes, and SSRF through malicious URLs.
The agent framework exposes powerful tools (download, extract-audio, get-subtitles). Insecure tool integration could allow an attacker to pass malicious arguments to the underlying yt-dlp binary.
Not certain from the listing — the deployment environment is unspecified, but if run without strict sandboxing, container isolation, or network egress controls, it could lead to host compromise or lateral movement.
Not certain from the listing — there is no mention of logging, input validation, or guardrails to inspect the URLs being requested or the content being downloaded.
Not certain from the listing — there are no apparent authentication, authorization, or rate-limiting policies defined to restrict who can trigger downloads or where files can be written.
If integrated into a multi-agent system, a compromised yt-dlp agent could be used by other agents to exfiltrate data via outbound media requests or poison the shared workspace with malicious files.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).