MeowMusic YouTube MP3

This skill appears to do what it says (enable Windows->server cookie sync and a yt-dlp+ffmpeg fallback), but take these precautions before installing or running it: - Understand the sensitive action: youtube_cookie_sync.py exports local browser cookies and uploads them to a server. Only run this on machines and profiles you trust and with explicit user consent. Do not use production browser profiles unless you fully trust the receiving server. - Verify and restrict the server endpoint: review and, if you implement the server handler, ensure it authenticates correctly, writes cookie files atomically with restrictive permissions (0600), and that the bearer token has minimal scope and expiration. Prefer short-lived or limited-scope tokens. - Metadata mismatch: the skill metadata does not list MEOW_SERVER_URL or MEOW_BEARER_TOKEN as required env vars even though the scripts use them. Expect to provide those values; verify where you store them. - Missing referenced files: SKILL.md mentions Windows helper .bat scripts that are not in the package. Confirm whether those helpers are required and obtain or reimplement them from trusted sources. - Test in a sandbox: run the install script and cookie-sync flow in an isolated test VM/server first (not on production), and inspect produced files and network requests (use a local intercepting proxy if needed). - Review code and server-side implementation: inspect the server endpoint that receives cookies before sending anything. Confirm logging policies so cookies are not written to logs. - If you want tighter safety: avoid uploading real cookies; instead create a disposable test account/profile or a restricted token. Rotate any tokens used after testing. Given the inconsistencies (undeclared env vars, missing helper files) and the sensitive nature of cookie export/upload, proceed only after manual review and with mitigations in place.