Skillv1.0.2

ClawScan security

Twitter Video Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 7:41 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (uses yt-dlp to download Twitter/X videos), but the declared requirements are inconsistent with the code and the PROXY_URL env var is marked as required even though it's optional — review before installing.
Guidance: This skill appears to implement the advertised feature, but there are a couple of mismatches you should address before installing or running it: - The Node script (download.mjs) requires Node to run, but the registry metadata does not declare node as a required binary. Ensure your environment provides Node (node/npm) or ask the author to update the metadata. - The manifest marks PROXY_URL as required, but the script treats it as optional (used only when set). Only set PROXY_URL if you need a proxy; avoid placing credentials in that variable unless you trust the source and understand where that proxy forwards traffic. - The skill spawns the yt-dlp executable to download remote media. yt-dlp will perform network requests to Twitter/X and possibly third-party hosts (CDNs). Only use this skill if you trust the author and the yt-dlp package you install (pip install yt-dlp from PyPI). Consider installing yt-dlp in a controlled environment (virtualenv) first. Recommended actions: 1) Request the author or maintainer to add 'node' to required binaries or provide a pure-Python implementation. 2) Ask them to mark PROXY_URL as optional in registry metadata so it isn't treated as mandatory. 3) Review the Node script locally (it is included) and test in a VM or isolated environment before giving it broad access to your filesystem. 4) If you must use a proxy, avoid embedding sensitive credentials in PROXY_URL unless necessary; prefer a local proxy or secure credential handling. Given these inconsistencies, treat the package with caution until the metadata and documentation are aligned with the actual runtime requirements.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (download Twitter/X videos via yt-dlp) matches the implementation, but the declared required binaries are incomplete/inconsistent: the manifest lists python and pip (needed to install yt-dlp) but does not list node, yet the runtime is a Node script (download.mjs). A legitimate implementation would declare node (or not use Node).
Instruction Scope: noteSKILL.md instructions are narrowly scoped to downloading Twitter/X videos and installing yt-dlp. They do not request unrelated files or credentials. However the instructions (and registry metadata) mark PROXY_URL as required, while the script treats PROXY_URL as optional — this gives the skill broader assumed environment dependence than necessary.
Install Mechanism: okThere is no automatic install spec (instruction-only), and the README recommends installing yt-dlp via pip. No downloads from untrusted URLs or archive extraction are present in the package itself. This is low-risk but relies on the user running pip install yt-dlp manually.
Credentials: concernRegistry metadata lists PROXY_URL as a required environment variable. The code only reads PROXY_URL optionally and continues if it's unset; proxy is only needed for users behind network restrictions. Marking it required is disproportionate. PROXY_URL may contain host/port or credentials — treat it as sensitive and only set if necessary.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not modify other skills or global settings. It runs a one-off yt-dlp process and writes files to the user-specified output directory.