YouTube Music ULTRA

The skill's core purpose is benign: controlling YouTube Music via OpenClaw browser automation. However, the Node.js scripts (`scripts/control.js`, `scripts/direct-play.js`, `scripts/ultra-play.js`) contain shell injection vulnerabilities. They use `child_process.execSync` to construct and execute shell commands with user-controlled input (e.g., song queries, video IDs) without proper shell escaping. This allows an attacker to inject arbitrary commands or arguments to the `openclaw browser` CLI, posing a significant risk of remote code execution. This is a critical vulnerability, not intentional malice.