Yt Dlp

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward yt-dlp wrapper; its main sensitive feature is optional browser-cookie use, which is relevant to the purpose and partly disclosed.

Install yt-dlp and ffmpeg from trusted sources and run downloads in a dedicated folder. Use --cookies-from-browser only when you intentionally need authenticated access on a trusted machine; a separate browser profile or site-specific cookies file is safer for limiting session exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide recommends `--cookies-from-browser` as the 'safest way' to authenticate but does not warn that this accesses browser-stored session cookies from a logged-in profile. In an agent/skill context, normalizing browser-cookie import without consent and scope warnings can lead users to expose active authenticated sessions for YouTube or other Google-linked services.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation recommends importing live browser cookies for authentication but does not warn that browser cookies are sensitive session secrets that can grant account access if exposed in logs, shell history, screenshots, shared terminals, or support bundles. In an agent skill context, normalizing cookie extraction without guardrails increases the chance users or downstream automation handle authentication material insecurely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal