Media Downloader
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a disclosed media downloader, but it will run a local yt-dlp script, write media files locally, may use cookie files, and may send downloaded audio through Telegram when used there.
Before installing, be comfortable with a local script downloading media into your Music/Movies/Videos folders, optional use of cookie files for logged-in downloads, and Telegram delivery of audio files when used from Telegram. If those folders are shared by a media server, downloaded files may also become visible on your local network.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can download files to your computer and use disk space in your media folders.
The skill directs the agent to run a local downloader on a user-provided URL and create files in local media folders. This matches the downloader purpose, but it is still local file and network activity.
Run the script: `uv run --script ${baseDir}/dl.py "<url>"` ... Save into `~/Movies/` or `~/Videos/` ... `~/Music/`.Use it only for URLs you intend to download, and specify an output directory if you do not want files placed in default media folders.
If a cookie file is configured, downloads may use your logged-in website session for the requested media service.
The implementation supports passing a cookie file to yt-dlp. Cookie files can represent logged-in sessions for media sites, which is sensitive but expected for some restricted downloads.
candidates = [HERE / ".cookies.txt", os.getenv("DL_COOKIES_FILE"), os.getenv("COOKIES_FILE"), "~/.cookies.txt"] ... options["cookiefile"] = str(cookie_file)Only provide narrowly scoped cookie files you are comfortable using with yt-dlp, and remove or unset them when not needed.
Running the skill may install or update third-party Python packages used by the downloader.
The uv script declares external Python dependencies, with yt-dlp unpinned and other packages using minimum versions. This is normal for this purpose but means runtime behavior can depend on package-index updates.
# dependencies = [ "loguru>=0.7.3", "python-slugify>=8.0.4", "yt-dlp", ]
Run it in a trusted environment and consider pinning or locking dependency versions if you need reproducible behavior.
Downloaded audio may be sent through Telegram instead of staying only on the local machine.
The skill may transmit a downloaded audio file through the Telegram messaging tool when the session is on Telegram. This is disclosed and limited to the downloaded audio file, but it crosses a platform boundary.
If the user is on Telegram ... Use the `message` tool to send the file to the user
Use the Telegram upload behavior only when you intend the downloaded file to be sent through that chat.