youtube-download-review

The skill provides YouTube downloading and processing functionality using yt-dlp and ffmpeg, but it is classified as suspicious due to a high risk of command injection. Specifically, SKILL.md instructs the agent to construct shell commands for ffmpeg and yt-dlp using unsanitized video titles and URLs as variables (e.g., in the ffmpeg -i and -vf arguments). While these capabilities are necessary for the stated task, the lack of input validation or escaping instructions could allow a maliciously titled video to execute arbitrary code on the host system.