Yt Dlp Downloader Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The downloader is mostly coherent, but it tells the agent to use your browser cookies for YouTube downloads, which is sensitive account/session access that is not clearly permission-scoped.
Use this skill only if you are comfortable with yt-dlp running locally and, for YouTube, potentially reading your browser cookies. Before running a command, verify the URL, output folder, and whether cookies are actually needed; avoid cookie access unless you explicitly approve it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The download may use your logged-in YouTube/Google session. Browser cookies are sensitive because they can represent account access if mishandled.
This directs the agent to have yt-dlp read a local browser profile/cookie store to authenticate YouTube downloads. The registry metadata declares no credentials, and the workflow does not clearly require explicit user approval before using browser cookies.
YouTube/YouTube Music → **Always use `--cookies-from-browser chrome`**
Require explicit consent before using browser cookies, disclose browser-profile access in metadata, and prefer a narrowly scoped cookies file or a user-selected browser/profile when authentication is necessary.
The agent can run local download commands and create files on disk for the requested URL.
The skill expects shell execution and network access to run yt-dlp. This is purpose-aligned for a downloader, and the instructions also warn not to use eval or build a shell from untrusted text, but users should still review commands before execution.
Execute the download using Shell tool with `required_permissions: ["all", "network"]`
Review the generated yt-dlp command, confirm the URL and output path, and avoid running commands constructed from untrusted extra arguments.
Installing or updating these tools changes your local environment and depends on the trustworthiness of the package sources.
The skill relies on user-installed third-party tools from package managers. This is expected for a yt-dlp wrapper, but the versions are not pinned and the registry source/homepage are not populated.
pip install yt-dlp # Install ffmpeg (required for audio extraction) brew install ffmpeg
Install yt-dlp and ffmpeg from trusted sources, consider pinning versions, and verify the repository/package provenance before use.