支持从 YouTube、Bilibili、抖音及所有 yt-dlp 兼容平台下载视频，可自动选择最佳分辨率、合并音视频并清理文件名

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, user-directed video downloader that uses yt-dlp and ffmpeg to save videos locally.

Install only if you are comfortable using yt-dlp and ffmpeg. Download only URLs you trust and choose an output folder with enough disk space, since videos can be large and a custom output directory may write outside the current workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises and operationally requires shell execution plus file read/write behavior through yt-dlp and ffmpeg, but it declares no explicit permissions. That creates a trust and review gap: callers may not realize the skill can invoke external binaries, write arbitrary download output, and potentially access local files depending on how the runner maps arguments into commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal