ClawHub
Back to skill
v1.0.0

M3U8 Downloader

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:44 AM.

Analysis

The downloader matches its stated purpose, but its script uses an unsanitized output name in file paths and a recursive cleanup delete, which could write or delete outside the intended Downloads folder if invoked with a crafted name.

GuidanceReview this skill before installing. If you use it, pass only simple output names such as letters, numbers, dashes, and underscores, and do not let webpages or untrusted text choose the output name. Consider patching the script to sanitize paths and use a fixed temporary directory before running it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/download.sh
OUTPUT_NAME="${2:-video_$(date +%Y%m%d_%H%M%S)}"
WORK_DIR="$HOME/Downloads/m3u8_${OUTPUT_NAME}"
OUTPUT_FILE="$HOME/Downloads/${OUTPUT_NAME}.mp4"
...
rm -rf "$WORK_DIR"

The optional output_name argument is inserted directly into filesystem paths without validation. A crafted value containing path traversal could move the output or cleanup target outside the intended Downloads directory, and the script later performs a recursive delete on that derived path.

User impactIf the agent or user passes a malicious or accidental path-like output name, the downloader could overwrite files or recursively delete a directory outside the intended download workspace.
RecommendationRestrict output_name to a safe basename, reject '/' and '..', create the work directory with mktemp inside a fixed parent, verify the cleanup path is inside the intended directory before rm -rf, and avoid passing output names copied from webpages or untrusted text.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
## Prerequisites

- `aria2c` (install: `brew install aria2`)
- `ffmpeg` (install: `brew install ffmpeg`)

The skill relies on external command-line tools, but the registry metadata lists no required binaries and no install spec. The dependency need is disclosed in the skill text and is purpose-aligned, but users should know the installer metadata may not preflight these tools.

User impactThe skill may fail or require manual package installation, and those external tools come from the user's package manager rather than from a pinned skill install process.
RecommendationInstall aria2c and ffmpeg only from trusted sources, and the skill publisher should declare these binaries in metadata or provide a clearer install specification.