YouTube/B站视频搜索下载

Security checks across malware telemetry and agentic risk

Overview

This is mostly a normal video search/download skill, but it can use local browser login cookies without a clear opt-in and overstates Bilibili/subtitle support.

Install only if you are comfortable with a downloader that may use your logged-in browser cookies through yt-dlp. Prefer unauthenticated downloads, require explicit approval before any browser-cookie use, confirm output directories before writing files, and treat Bilibili/subtitle claims as under-implemented unless the publisher updates the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes shell commands, accesses environment variables, and performs network operations, but it does not declare corresponding permissions. This creates a trust and containment gap: an agent or reviewer may underestimate the skill's ability to reach external services, read secrets such as API keys, and write files locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill advertises multi-site support and subtitle features, but the documented implementation is largely YouTube-specific and omits real subtitle automation in the main script path. This mismatch can mislead users and orchestration systems about what the skill actually does, increasing the chance of unsafe invocation patterns or overbroad trust.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: Claiming broader platform coverage than is actually implemented is a security-relevant integrity issue because users may rely on the skill in contexts it does not safely handle. While not directly exploitable like code injection, it undermines informed consent and accurate risk assessment.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documentation instructs use of `--cookies-from-browser chrome`, which can access authenticated browser session cookies. That is broader than simple public search/download and introduces sensitive credential/session handling; if misused, it could enable access to private or age-restricted content using the user's logged-in browser state.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script automatically attempts to load browser cookies from local Chrome/Firefox/Safari profiles and passes them to yt-dlp without explicit user consent at runtime. This expands the tool from public video download into accessing authenticated browser session material, which can expose private account context and sensitive session-derived data if used on protected content or if logs/artifacts are mishandled.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Broad trigger phrases like common search/download language can cause unintended activation of a skill that performs network requests and local downloads. In agent settings, accidental activation increases the risk of unauthorized file writes, external requests, or processing user-provided URLs without sufficient confirmation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill directs downloads to local folders and supports audio extraction without clearly warning about filesystem writes, storage impact, or potential browser-cookie usage in related workflows. Users may unintentionally permit persistent local changes or sensitive-session reuse without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code silently escalates capability by reading browser cookies whenever a local browser is detected, with no interactive warning or opt-in. In an agent skill context, this is more dangerous because the user may think they are only downloading a public video, while the tool may access authenticated state from their local browser.

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High

Category: YARA Match
Content: # 下载整个播放列表 yt-dlp --cookies-from-browser chrome -o "~/Downloads/%(playlist_title)s/%(title)s.%(ext)s" "PLAYLIST_URL" ```
Confidence: 90% confidence
Finding: cookies-from-browser chrome; cookies-from-browser chrome; cookies-from-browser chrome; cookies-from-browser chrome; cookies-from-browser chrome

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal