Back to skill

Security audit

YouTube Download

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent YouTube downloader, but it automatically changes local yt-dlp installations and can use browser session cookies without a clear consent gate.

Review before installing. Use this only if you are comfortable with it installing/updating yt-dlp in your user Python environment and passing authenticated browser cookies to yt-dlp. Prefer preinstalling a trusted yt-dlp version, using --skip-update, and only enabling --cookies or --cookies-from-browser after explicit approval for a specific video.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if skip_update:
        return yt_dlp

    update = subprocess.run([*yt_dlp, "-U"], text=True)
    if update.returncode != 0:
        print("yt-dlp self-update failed or is disabled; upgrading with pip instead.", flush=True)
        pip_install_or_upgrade()
Confidence
90% confidence
Finding
update = subprocess.run([*yt_dlp, "-U"], text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes shell/Python tooling and can access environment-dependent resources, but it declares no explicit permissions or trust boundaries. This creates an authorization and review gap: consumers may approve the skill without understanding that it can execute commands, install packages, write files, and potentially access local configuration or credentials indirectly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically installs or upgrades yt-dlp via pip without requiring explicit user confirmation. In a security-sensitive agent setting, modifying the local Python environment and fetching code from package infrastructure at runtime introduces supply-chain risk and unexpected system changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports importing cookies from a file or directly from browsers, which can expose authenticated session material to the downloading tool and to logs or downstream processes. In agent use, this is more sensitive because browser cookies may grant access to private accounts or age-restricted content beyond the user's intended scope.

Self-Modification

High
Category
Rogue Agent
Content
Use `python3` on most Linux/macOS systems. Use `py -3` or `python` on Windows when that is the configured Python launcher.

The helper checks for `yt-dlp`, installs it with `<python> -m pip install --user -U yt-dlp` if missing, tries `yt-dlp -U`, falls back to pip upgrade when self-update is unavailable, then runs the download. If a pip-installed executable is not on `PATH`, the helper searches common per-user script directories and falls back to `python -m yt_dlp`.

## Workflow
Confidence
93% confidence
Finding
self-update

Self-Modification

High
Category
Rogue Agent
Content
update = subprocess.run([*yt_dlp, "-U"], text=True)
    if update.returncode != 0:
        print("yt-dlp self-update failed or is disabled; upgrading with pip instead.", flush=True)
        pip_install_or_upgrade()
        yt_dlp = find_yt_dlp(prefer_user=True) or yt_dlp
Confidence
94% confidence
Finding
self-update

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
Use browser cookies for private, member-only, age-restricted, or region-sensitive videos:

```bash
python3 youtube-download/scripts/youtube_download.py "URL" --cookies-from-browser chrome
```

Pass extra `yt-dlp` flags:
Confidence
90% confidence
Finding
cookies-from-browser chrome

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.