Yt Dlp Downloader
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: yt-dlp-downloader-skill Version: 0.1.0 The skill is classified as suspicious due to two main security concerns found in `SKILL.md`. Firstly, it explicitly instructs the `yt-dlp` tool to access browser cookies via `--cookies-from-browser chrome`, which involves handling sensitive user data, even if justified for bypassing YouTube's 403 errors. Secondly, the workflow instructs the AI agent to execute commands with `required_permissions: ["all", "network"]`. The 'all' permission is overly broad for a video downloading task, granting extensive system access beyond what is strictly necessary for `yt-dlp`'s stated functionality, thereby introducing significant risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The download may run using your logged-in browser session, which can expose account-authenticated access to yt-dlp and affect privacy or account boundaries.
This directs the agent to read and use the user's local browser cookie/session store for YouTube downloads by default, without an explicit per-use approval step or a scoped credential declaration.
YouTube/YouTube Music → **Always use `--cookies-from-browser chrome`**
Require explicit user approval before using `--cookies-from-browser`, declare browser-cookie/session access in the skill metadata, and prefer trying unauthenticated downloads first unless the user specifically approves cookie use.
The agent may run local commands that download files and write them to disk.
The skill needs shell and network access to run yt-dlp, but the requested shell permission is broad and commands are constructed around user-provided URLs.
Execute the download using Shell tool with `required_permissions: ["all", "network"]`
Review the exact command before execution, keep output paths scoped to a safe downloads folder, and avoid running commands for untrusted or malformed URLs.
Installing or updating packages changes your local environment and depends on the package manager sources you use.
The skill documents installing external dependencies through package managers, but versions are not pinned and there is no install spec.
pip install yt-dlp brew install ffmpeg # macOS
Install dependencies manually from trusted sources, consider pinning versions, and avoid automatic package installation without review.