Youtube Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube downloader that saves requested videos locally and records them in an OpenClaw asset registry.

Install only if you want an agent to run a local bash script that uses yt-dlp to download YouTube videos, consume disk space, and keep a local registry history of downloaded URLs and files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to download files into the local workspace and append entries to a shared asset registry, but it does not clearly warn that invoking the skill causes persistent filesystem writes and metadata modification. This can mislead users about side effects, increasing the chance of unintended downloads, storage consumption, and silent changes to shared workspace state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal