ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

you-get

v0.1.0

网页媒体下载助手 - 从YouTube、Bilibili等网站下载视频、音频、图片

0· 82·0 current·0 all-time
by@cn-big-cabbage
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (web media downloader) match the requested binaries (python, you-get, ffmpeg) and example commands. Asking for you-get/ffmpeg is proportionate to the stated purpose. However, metadata sets primaryEnv to 'python' which is not a credential name and is incoherent with the platform's primaryEnv usage.
!
Instruction Scope
SKILL.md and guides instruct the agent to run arbitrary shell commands (install, download, play) which is expected for a downloader, but they also explicitly reference sensitive local paths (e.g. ~/.mozilla/firefox/xxxxx/cookies.sqlite) and recommend exporting/using browser cookies. Those file accesses are outside declared config paths and may expose authentication data. The troubleshooting guide also suggests disabling firewalls (sudo ufw disable) as a diagnostic step, which is risky guidance.
Install Mechanism
No install spec (instruction-only). That is low-risk from install mechanics perspective — nothing is fetched or executed by an installer provided in the skill bundle.
!
Credentials
The skill declares no required env vars or credentials, which mostly aligns with its function. But it instructs use of cookies files and direct references to browser cookie DBs (sensitive credentials) without declaring config path requirements. The primaryEnv metadata value ('python') is misused and misleading.
Persistence & Privilege
always is false and model invocation is permitted (defaults). The skill does not request persistent presence or modify other skills. No elevated persistence privileges are requested.
What to consider before installing
This skill is basically a wrapper around the well-known you-get tool and is coherent for downloading media. However: 1) the guides instruct the agent to read browser cookie files (e.g. cookies.sqlite) to download login-protected content — that can expose your login state and should only be done if you trust the agent and are comfortable with that risk; 2) the skill's metadata sets primaryEnv to 'python', which looks like a misconfiguration and not a credential — ignore that or ask the author to correct it; 3) some troubleshooting advice (temporarily disabling firewall) is unsafe — avoid disabling security controls on your system; 4) because the skill will run shell commands and can access local files, only install it if you trust the source and understand it will execute you-get/ffmpeg commands on your machine. If you want to be cautious, run the commands manually in a controlled environment (or run you-get locally) rather than granting the agent direct execution rights.

Like a lobster shell, security has layers — review code before you run it.

audiovk979ryhx8nq81jh71bzwwtkh1s84ke5gdownloadervk979ryhx8nq81jh71bzwwtkh1s84ke5glatestvk979ryhx8nq81jh71bzwwtkh1s84ke5gmediavk979ryhx8nq81jh71bzwwtkh1s84ke5gvideovk979ryhx8nq81jh71bzwwtkh1s84ke5g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⬇️ Clawdis
Binspython, you-get, ffmpeg

Comments