Universal Video Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent video downloader that uses yt-dlp for user-provided links and discloses temporary file cleanup behavior.

Install only if you are comfortable with an agent running yt-dlp and ffmpeg locally against user-provided video URLs. For sensitive media, confirm the agent deletes the downloaded file after sending it, and keep in mind that video downloads may be subject to site terms and local law.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly instructs the agent to invoke shell commands and Python scripts, but it does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: an agent or platform may allow execution beyond what the manifest communicates, increasing the chance of unintended command execution or inadequate review of shell access.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill states that downloaded files must be deleted immediately after delivery, but it does not clearly disclose this data-retention behavior to users. While not an exploit primitive by itself, it can cause user surprise, failed expectations around file availability, and weak auditability for sensitive or compliance-relevant media handling.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal