Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
下载视频的技能
v1.0.0使用yt-dlp和ffmpeg下载各种网站的视频。支持YouTube、B站、抖音等所有yt-dlp支持的网站。当用户要求下载视频、保存视频、抓取视频时调用此技能。
⭐ 0· 89·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the actual code: the script uses yt-dlp to download and merge streams and uses ffmpeg for merging. There are no unrelated credentials, binaries, or config paths requested. The script implements quality/format/output options as described.
Instruction Scope
SKILL.md and the script largely agree on behavior (command-line usage, default ~/Downloads, auto-install yt-dlp). Minor inconsistencies: SKILL.md claims ffmpeg will be downloaded to a .trae/skills/... path, but the script downloads and installs ffmpeg under the script directory (SCRIPT_DIR/ffmpeg). Also SKILL.md implies automatic ffmpeg setup generally, but the script's automatic ffmpeg download is implemented only for Windows and exits on non-Windows platforms. The runtime instructions do not attempt to read unrelated system files or credentials.
Install Mechanism
There is no external install spec, but the script performs a network download and extraction of an FFmpeg ZIP from https://www.gyan.dev/ffmpeg/builds/ffmpeg-release-essentials.zip (third-party build host) and extracts it to disk. The script writes files to disk (extract and move operations). It also runs `pip install --upgrade yt-dlp` if yt-dlp is not present. Downloading and extracting an archive from a non-official host is a moderate risk and should be reviewed before use; the behavior is expected for this purpose but the source should be vetted.
Credentials
The skill requests no environment variables or credentials. It briefly consults the TEMP environment variable to pick a temporary path (typical). No secrets are collected or required by the code.
Persistence & Privilege
The skill does not request permanent platform privileges (always: false) and does not modify other skills. It writes files to the script directory (ffmpeg) and to the user's Downloads directory for downloaded videos. This file writing is expected for the stated purpose but you should be aware of where files are created.
Assessment
This skill appears to do what it says (download videos with yt-dlp and ffmpeg), but before installing or running it consider the following:
- Network downloads: the script will download an FFmpeg ZIP from gyan.dev (a third‑party Windows build provider) and will run pip to install/upgrade yt-dlp. If you need higher assurance, manually install ffmpeg and yt-dlp and re-run the script.
- Platform behavior: automatic ffmpeg download is implemented only for Windows; on other OSes the script exits and asks you to install ffmpeg yourself. SKILL.md's description about ffmpeg path differs from the script's implementation (script uses its own directory, not necessarily .trae/skills/...).
- File writes: the script extracts files into its own directory and saves downloaded videos to ~/Downloads (or the user-specified output). Ensure you are comfortable with these write locations.
- Legal/privacy: downloading content may violate terms of service or copyright law; avoid downloading protected content you do not have rights to.
- Safety steps: review the downloaded ffmpeg zip URL manually, run the script in an isolated environment (VM or container) if possible, or install yt-dlp/ffmpeg yourself and run the script with network disabled to reduce risk.
If you want me to, I can produce a hardened version that skips automatic ffmpeg download and instead checks for an existing ffmpeg on PATH and gives clearer paths for where it writes files.Like a lobster shell, security has layers — review code before you run it.
latestvk97cspn5ydm48q7ynb8s4re9k1838ztf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.