Youtube Hq Downloader

Security checks across malware telemetry and agentic risk

Overview

This YouTube downloader appears to do what it says, but its scripts run user-influenced shell commands in unsafe ways that deserve review before installation.

Install only if you are comfortable running local downloader scripts that execute shell commands, install yt-dlp from pip, write to your media folders, and overwrite predictable output files. Do not pass untrusted URLs, filenames, or output directories. A safer version would remove shell=True and os.system, validate output names and paths, avoid reusing another skill's virtual environment, and pin or separately approve package installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_command(cmd, cwd=None, capture=True): """执行shell命令""" print(f"🔧 执行: {cmd}") result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=capture, text=True) if result.returncode != 0: print(f"❌ 命令执行失败: {cmd}") if result.stderr:
Confidence: 99% confidence
Finding: result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=capture, text=True)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: print(f"\n✅ 完成!") print(f"📁 输出文件: {output_file}") os.system(f'ls -lh "{output_file}"') if __name__ == "__main__": main()
Confidence: 98% confidence
Finding: os.system(f'ls -lh "{output_file}"')

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation instructs the agent/user to execute shell commands, create environments, install packages, and run external tools, but no permissions are declared. In an agent framework, undeclared shell capability reduces transparency and policy enforcement, making it easier for a seemingly simple downloader skill to perform broader system actions than expected.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The stated purpose is media download/merge, but the documented workflow also creates a virtual environment, activates it, and installs yt-dlp via pip. This behavior expands the trust boundary to arbitrary package installation and command execution, which is materially different from simple file processing and can introduce supply-chain or execution risk if users or agents approve the skill based only on the narrower description.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill uses general-purpose shell execution for routine downloader tasks, giving it the ability to run arbitrary commands beyond what is necessary for downloading and muxing media. In this context, where command arguments are influenced by user input, that broader capability materially increases the attack surface and enables command injection.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The ffmpeg example uses the -y flag, which overwrites output files without prompting, but the documentation does not warn users about this destructive behavior. In contexts where the output filename is predictable or reused, this can cause accidental data loss even if it is not a confidentiality or code-execution issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal