Back to skill
Skillv1.0.0
ClawScan security
Personal Video Dl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 1:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is a yt-dlp-based video downloader and its files and instructions align with that purpose.
- Guidance
- This skill is a straightforward wrapper around yt-dlp and appears coherent. Before installing/using: (1) be aware the script will run yt-dlp which performs network requests to the video sites; (2) installing yt-dlp uses pip (pulls code from PyPI) — only install packages you trust or run in a sandbox/container; (3) only download content you have the right to download (terms of service / copyright); (4) review any URL list files for untrusted entries before batch downloading; and (5) run the script without elevated privileges to limit risk.
Review Dimensions
- Purpose & Capability
- okThe name, description, SKILL.md, and the included video_downloader.py all describe the same behavior (a wrapper around yt-dlp). There are no unexpected environment variables, credentials, or unrelated binaries requested.
- Instruction Scope
- noteSKILL.md instructs the agent/user to run the included Python script and to install yt-dlp. The script performs file I/O (creates output dirs, reads a urls file) and spawns yt-dlp as a subprocess to download content. This stays within the stated scope, but it does execute external commands and performs network access (yt-dlp contacting remote sites).
- Install Mechanism
- noteThere is no platform install spec in the registry (instruction-only), but the script includes an install routine that runs `python -m pip install -U yt-dlp`. Installing from PyPI is normal here, but installing packages pulls remote code — consider the usual risks of installing third-party packages.
- Credentials
- okThe skill requests no environment variables or credentials and the code does not read secrets. The requested capabilities are proportional to a downloader (network access, filesystem write access to the target directory).
- Persistence & Privilege
- okThe skill is not marked always:true, does not alter other skill configs, and has no persistent privileged behavior. It runs only when invoked.