Back to skill

Security audit

Media Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward media downloader, with disclosed local saves and no evidence of hidden, destructive, or unrelated behavior.

Install this if you want your agent to download media from URLs onto your machine. Expect network access, persistent files in your media folders, possible disk usage from large videos or playlists, and Telegram delivery of audio files when used from Telegram. Treat any configured cookie files as account-session secrets and avoid enabling media-server sharing unless you want downloaded media visible on your local network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes a downloader script with network access, writes files into user media folders, and reads environment variables for cookie-file discovery, yet declares no permissions or equivalent user-facing capability notice. This creates a transparency and consent gap: users and host systems cannot accurately assess that the skill will access the network, consume credential-adjacent data, and modify the local filesystem.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill automatically searches for and passes a cookie file from local disk or environment variables into yt-dlp, which lets the download request inherit the user's authenticated web session without explicit consent at runtime. In an agent skill context, this expands the capability from public-media download to use of sensitive credentials, enabling access to private, age-gated, paid, or account-bound content and potentially exposing session material through unintended use or logging.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The triggers "Download this video ..." and "Download this music ..." are broad natural-language phrases likely to match ordinary conversation, increasing the chance the skill auto-runs when the user did not intend a local download. In this skill's context, accidental activation can immediately lead to network retrievals and local file writes, which raises the security and privacy risk beyond a harmless misfire.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises saving media directly into `~/Movies`, `~/Videos`, or `~/Music` without an upfront warning or confirmation about local filesystem writes. In context, this is more dangerous because downloads may be large, persistent, and automatically indexed by media servers, causing unintended storage use and broader local exposure of downloaded content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Telegram upload behavior can automatically send downloaded audio files to a third-party messaging platform without a prominent privacy warning or explicit consent gate. This is risky because media content, metadata, filenames, and possibly copyrighted or sensitive material may be transmitted off-device based on context detection rather than a separate user approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automatically discovers and uses cookie files from several locations, including environment variables and home-directory paths, without warning that these files may contain sensitive authenticated session data. In this context, using credential-bearing cookies with a downloader increases the blast radius of misconfiguration or abuse, because the skill may access content under the user's logged-in identity and normalize silent use of secrets from the local environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When run normally, the skill silently consults local and environment-provided cookie locations and may use them for authenticated downloads, but the user is not informed that browser/session credentials are being consumed. In an agent workflow, hidden credential use is risky because users may believe the skill only fetches public URLs while it actually performs actions with their logged-in identity and access scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.