ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yt Dlp

v1.0.1

A robust CLI wrapper for yt-dlp to download videos, playlists, and audio from YouTube and thousands of other sites. Supports format selection, quality control, metadata embedding, and cookie authentication.

0· 1.6k·22 current·22 all-time
byazzar budiyanto@1999azzar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files: docs plus a simple wrapper script that calls yt-dlp and ffmpeg. Requested capabilities (download, format selection, metadata, cookies) align with what yt-dlp provides; no unrelated services or privileges are requested.
Instruction Scope
SKILL.md and references stay on-topic and only instruct use of yt-dlp/ffmpeg and the wrapper script. The wrapper does not read arbitrary files or network endpoints beyond yt-dlp's normal behavior. Note: the script warns to run 'scripts/setup' if yt-dlp isn't found, but no scripts/setup file is included in the bundle — this is a packaging/documentation gap (not evidence of exfiltration).
Install Mechanism
No install spec in the registry (instruction-only), which minimizes automatic disk writes. The docs recommend installing yt-dlp via pip or package managers and warn against untrusted curl|sh installers. The included references even show a GitHub release URL (a normal source).
Credentials
The skill requires no environment variables, no credentials, and no config paths. The docs caution about cookie use (which is appropriate) but do not attempt to access browser secrets themselves. This is proportionate to a downloader wrapper.
Persistence & Privilege
always is false and model invocation/autonomy is default. The skill does not request permanent presence or modify other skills. No elevated privileges or system-wide config modifications are attempted.
Assessment
This skill is a thin wrapper around yt-dlp and appears coherent. Before installing/using it: 1) ensure yt-dlp and ffmpeg are installed from official sources (pip, your OS package manager, or official GitHub releases) instead of running random curl|sh installers; 2) inspect the bundle (especially scripts/download.sh) — it attempts to use a .venv yt-dlp if present and otherwise calls system yt-dlp; 3) be cautious with cookies: using --cookies-from-browser can expose browser session cookies — prefer exporting a cookies.txt file and review it; 4) note a minor packaging gap: the script mentions 'scripts/setup' but that file is not included, so the script may fail if yt-dlp isn't already available. If you plan to let an autonomous agent use this skill, explicitly restrict use of browser cookies and confirm you trust the agent to run local commands that may write files to your download directory.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cfwd5cttpb6wb7cnhy2qvfd810m47

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments