yt-dlp

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps fetch requested music with yt-dlp into a dedicated local OpenClaw music folder.

Install only if you are comfortable with an agent contacting YouTube and saving requested audio files under ~/.openclaw/workspace/music/. Keep downloads user-directed, use trusted ffmpeg and yt-dlp packages, and avoid letting untrusted text control shell command arguments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to create directories, access YouTube over the network, and download/convert files into the user's workspace without requiring an explicit user confirmation or warning about those side effects. In an agent setting, silent external network access plus file creation can violate user expectations and enable unintended downloads of untrusted content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal