[ ⌘K ]
← BACK TO SEARCH

democ4s/youtube-mcp-server

critical

No description

This MCP server provides tools to interact with YouTube videos (extracting video IDs and transcripts) and perform web searches using the Tavily API. I...

purpose: This MCP server provides tools to interact with Yothreat: network exposed
Python0May 20, 2026May 20, 2026GITHUB
Vulnerability Analysis[ 5 findings in 5 blocks ]
5/20/2026
high1 finding
server.py
19    with yt_dlp.YoutubeDL({'quiet': True}) as ydl:
20        info = ydl.extract_info(url, download=False)
21        return info['id']
server.py:19

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The get_video_id tool accepts an arbitrary URL and passes it directly to yt-dlp's extract_info. yt-dlp can be tricked into making requests to internal services (e.g., file://, localhost, or cloud metadata endpoints) via crafted URLs, leading to Server-Side Request Forgery.

ImpactAn attacker could use this tool to probe internal networks, read local files (via file://), or access cloud instance metadata, potentially leaking sensitive information.

FixValidate that the URL is a valid YouTube URL (e.g., using a regex or URL parsing) before passing it to yt-dlp. Restrict allowed schemes to http/https and domains to known YouTube domains.

high1 finding
server.py
14tavily_client = TavilyClient(api_key=os.environ.get("TAVILY_API_KEY"))
server.py:14

// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if the server leaks environment info.

The Tavily API key is read from an environment variable. While this is a common practice, if the environment is compromised or if the server exposes environment variables (e.g., through error messages or debugging endpoints), the key could be leaked. Additionally, the key is stored in plaintext in memory.

ImpactAn attacker who gains access to the environment or exploits an information disclosure vulnerability could obtain the API key and use it to make unauthorized requests, incurring costs or accessing private data.

FixUse a secrets manager or encrypted storage. Ensure environment variables are not exposed in error messages or logs. Consider using a read-only API key with restricted permissions.

medium1 finding
server.py
24def get_transcript(video_id: str) -> str:
25    """Get the full transcript of a YouTube video"""
26    try:
27        transcript = YouTubeTranscriptApi.get_transcript(video_id)
28        return " ".join(entry['text'] for entry in transcript)
29    except Exception as e:
30        return f"Error: {str(e)}"
server.py:24

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The video_id parameter is not validated. While YouTubeTranscriptApi likely expects a valid video ID, passing arbitrary strings could cause unexpected behavior or resource consumption. More importantly, the error message leaks internal exception details, which could aid an attacker.

ImpactInformation disclosure via error messages. Potential for resource exhaustion if invalid IDs cause repeated API calls.

FixValidate that video_id matches the expected format (e.g., 11-character alphanumeric). Avoid returning raw exception messages to the user.

medium1 finding
server.py
33def web_search(query: str) -> str:
34    """Search the web for information using Tavily API"""
35    try:
36        response = tavily_client.search(query=query, include_answer=True, max_results=5)
37        answer = response.get("answer", "No answer found.")
38        sources = "\n\nSources:\n"
39        for i, result in enumerate(response.get("results", [])):
40            sources += f"{i+1}. {result['title']} - {result['url']}\n"
41        return f"{answer}{sources}"
42    except Exception as e:
43        return f"Error: {str(e)}"
server.py:33

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The query parameter is passed directly to the Tavily API without any sanitization. While this is a search API, an attacker could craft queries that cause the Tavily client to make unintended requests or leak API keys through error messages.

ImpactPotential for prompt injection or abuse of the Tavily API. Error messages may leak sensitive information.

FixSanitize the query input to prevent injection. Avoid returning raw exception messages.

low1 finding
server.py
10    host="0.0.0.0",
11    port=8000
server.py:10

// Network_exposed threat model; this is a configuration choice that amplifies risk.

The MCP server is configured to listen on all network interfaces (0.0.0.0), making it accessible from any network. This increases the attack surface, especially if the server is not intended to be publicly accessible.

ImpactAny network entity that can reach the server can interact with the tools, increasing the risk of exploitation.

FixBind to localhost (127.0.0.1) if remote access is not required, or use a firewall to restrict access.

Heuristic Signals
env.exposure

Risk Score

85
LLM-based
low findings+5
high findings+50
medium findings+30