M3U8 Downloader
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent HLS downloader, but its script builds cleanup and output paths from an unsanitized output name, which could delete or overwrite files outside the intended Downloads folder.
Review or patch the script before use. If you run it, omit the optional output name or use only a simple filename made of letters, numbers, dashes, and underscores. Do not pass names containing slashes or '..' until the cleanup and output paths are safely constrained.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken output name could cause the agent to delete a user directory or overwrite files outside the intended video-download location.
The optional output name is embedded directly into filesystem paths without validation. If it contains slashes or '..' components, the work directory can resolve outside the intended Downloads subdirectory and is later deleted recursively; the output file path can also escape Downloads and is overwritten with ffmpeg -y.
OUTPUT_NAME="${2:-video_$(date +%Y%m%d_%H%M%S)}"
WORK_DIR="$HOME/Downloads/m3u8_${OUTPUT_NAME}"
OUTPUT_FILE="$HOME/Downloads/${OUTPUT_NAME}.mp4"
...
ffmpeg -y ... "$OUTPUT_FILE"
...
rm -rf "$WORK_DIR"Reject output names containing path separators, '..', or shell/path metacharacters; use a safe basename allowlist; create the work directory with mktemp; resolve paths with realpath and verify they remain under the intended Downloads directory before writing or deleting.
The skill will only work if local command-line tools are installed, and those tools will process downloaded media content.
The registry metadata does not declare required binaries, while SKILL.md says the workflow depends on aria2c and ffmpeg. This is purpose-aligned, but users may not be warned by metadata-based checks.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare aria2c and ffmpeg as required binaries in metadata, and install them only from trusted package managers or sources.