ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

m3u8 video downloader

v1.0.0

This skill should be used when the user wants to download videos from M3U8 streaming URLs. It handles parsing M3U8 playlists (including nested multi-bitrate...

0· 90·0 current·0 all-time
byunixsam@jyt2018

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jyt2018/jyt-m3u8-downloader.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "m3u8 video downloader" (jyt2018/jyt-m3u8-downloader) from ClawHub.
Skill page: https://clawhub.ai/jyt2018/jyt-m3u8-downloader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jyt-m3u8-downloader

ClawHub CLI

Package manager switcher

npx clawhub@latest install jyt-m3u8-downloader
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included Python script and workflow. The requirements.txt lists pyav and m3u8 even though the SKILL.md only mentions requests and ffmpeg; this is a minor mismatch but not evidence of malicious intent. Overall the requested actions (HTTP fetches of m3u8/TS/key files and ffmpeg merging) are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs copying/running the provided script, providing an M3U8 URL and optional decryption key, and ensuring ffmpeg and requests are available. The runtime instructions and the script confine themselves to downloading playlist/segments/keys, writing local temporary files, and calling ffmpeg to merge — they do not instruct reading unrelated system files or sending data to third-party endpoints beyond the media URLs.
Install Mechanism
There is no automated install step; this is effectively an instruction-plus-script bundle. No remote install URLs or archive extractions are present. The included requirements.txt refers to public Python packages (pyav, m3u8) which is reasonable for media handling.
Credentials
The skill does not request environment variables, credentials, or config paths. All network activity is limited to the user-supplied M3U8/TS/key URLs, which is proportional to a downloader's purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It writes temporary files only for the download/merge workflow and cleans them up according to the documented behavior.
Assessment
This skill appears to do what it claims: download M3U8 playlists, fetch TS segments and keys, and merge them with ffmpeg. Before installing/run: 1) Review and run the script in an isolated environment (virtualenv or container) since it will download and write arbitrary remote content to disk. 2) Note the script disables TLS verification (requests verify=False) and suppresses warnings — this accepts invalid certs and could allow man-in-the-middle interceptions of downloads; only use with trusted sources or modify to enable verification. 3) The default max_workers is high (64) and could stress CPU/network; reduce if needed. 4) Ensure ffmpeg is installed and you comply with copyright/terms when downloading content. 5) The requirements.txt includes pyav and m3u8 even though SKILL.md doesn't mention them — install only the packages you need. If you need higher assurance, request the full untruncated script for a line-by-line audit and run it in a sandbox before use.

Like a lobster shell, security has layers — review code before you run it.

HLSvk974gc9zszqpr3jzrr1w17sb7s84eqsydownload videovk974gc9zszqpr3jzrr1w17sb7s84eqsylatestvk974gc9zszqpr3jzrr1w17sb7s84eqsym3u8vk974gc9zszqpr3jzrr1w17sb7s84eqsy
90downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
unixsam@jyt2018
HLSdownload videolatestm3u8
Download

M3U8 Video Downloader

Overview

Download videos from M3U8/HLS streaming URLs by parsing playlists, downloading TS segments with multi-threading, handling encrypted streams (AES-128), and merging all segments into a single MP4 file using ffmpeg.

Prerequisites

Before executing, ensure the following are available:

  1. Python 3 with requests library installed: pip install requests
  2. ffmpeg installed and added to system PATH (required for merging TS segments into MP4)
  3. Network access to the M3U8 URL

Workflow

1. Understand the User's Request

Extract from the user:

  • M3U8 URL: The streaming playlist URL (required)
  • Output filename: Name for the saved MP4 file (required, without extension)
  • Base64 key (optional): For encrypted streams that require a manually provided AES-128 decryption key

2. Prepare the Environment

  • Copy scripts/M3u8Download.py to the working directory
  • Ensure requests is installed in the Python environment
  • Verify ffmpeg is accessible from the command line: ffmpeg -version

3. Execute the Download

Use the M3u8Download class from scripts/M3u8Download.py:

from M3u8Download import M3u8Download

M3u8Download(
    m3u8_url="<user_provided_url>",
    file_path="<output_name>",        # Without extension; TS temp dir and final MP4 use this name
    max_workers=64,                   # Concurrent download threads
    num_retries=10,                   # Retry count on download failure
    base64_key=None                   # Optional: base64-encoded AES-128 key for encrypted streams
)

Key Parameters

ParameterDescription
m3u8_urlM3U8 playlist URL or local file path
file_pathBase name for temp folder and output MP4 file
max_workersMax concurrent download threads (default: 64)
num_retriesDownload retry count on failure (default: 10)
base64_keyOptional base64-encoded decryption key for AES-128 encrypted streams

4. What Happens During Download

  1. Parse M3U8: Fetches and parses the M3U8 playlist. If it is a master playlist (contains EXT-X-STREAM-INF), automatically follows the redirect to the media playlist.
  2. Download key: If the playlist specifies EXT-X-KEY, the encryption key is downloaded (or uses the provided base64_key).
  3. Download segments: All TS segments are downloaded concurrently with progress bar display.
  4. Merge: ffmpeg merges all TS segments into a single MP4 file.
  5. Cleanup: After verifying the MP4 file size matches the total TS size (within 10% tolerance), temporary TS files, key file, and M3U8 file are deleted automatically.

5. Handle Errors

  • If ffmpeg is not found, inform the user to install it and add to PATH.
  • If download fails due to network issues, the retry mechanism will attempt num_retries times.
  • If the MP4 output size does not match the TS total size, temporary files are preserved for manual inspection.
  • For encrypted streams without a provided key, the script attempts auto-download; if that fails, ask the user for the base64_key.

Scripts

scripts/M3u8Download.py

Main download script containing the M3u8Download class. This is the primary script to use for all M3U8 download operations.

Notes

  • The script supports both URL-based and local file-based M3U8 inputs.
  • Chinese filenames and paths are supported.
  • On Windows, os.startfile() is used to open the output directory after download completes.
  • Do NOT modify the source code in scripts/ - use it as-is.

Comments

Loading comments...