Social Downloader
PassAudited by ClawScan on May 16, 2026.
Overview
This skill does what it claims, but users should know it runs local video tools and may send downloaded audio to OpenAI for transcription if an API key is available.
This appears safe for its stated purpose. Before installing, make sure you are comfortable running yt-dlp and ffmpeg locally, and be aware that transcription mode can use your OpenAI API key and send the video's audio to OpenAI.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can run local download tooling against links the user provides and create local media files.
The script invokes yt-dlp on a user-provided URL and writes the result to a local output directory. This is central to the skill's purpose and uses quoted arguments.
yt-dlp -f 'bv*+ba/best' --merge-output-format mp4 -o "$OUT_DIR/%(title).120s-%(id)s.%(ext)s" "$URL"
Use it only for links you intend to download, and choose an output folder you are comfortable writing media files into.
If an OpenAI API key is present, the skill may use the user's OpenAI account and incur API usage for transcription.
The script reads an OpenAI API key from the local environment if one exists, even though the registry metadata declares no required or optional environment variables.
key = os.environ.get('OPENAI_API_KEY')Declare OPENAI_API_KEY in the skill metadata and make sure users understand when their OpenAI account will be used.
Audio from the downloaded video may be sent to OpenAI for transcription.
When OPENAI_API_KEY is set, the script sends the extracted audio file to OpenAI's transcription API. This supports the stated transcription feature, but the external data flow is not clearly called out in SKILL.md or metadata.
req = urllib.request.Request('https://api.openai.com/v1/audio/transcriptions', data=b''.join(body), headers={'Authorization': f'Bearer {key}', 'Content-Type': f'multipart/form-data; boundary={boundary}'})Avoid using this mode for private or sensitive videos unless you are comfortable sending the audio to OpenAI.
The skill may fail or behave differently depending on the locally installed yt-dlp and ffmpeg versions.
The metadata does not declare required binaries, while the included scripts call yt-dlp and ffmpeg. This is not suspicious by itself, but it means the runtime depends on whatever local versions are available.
Required binaries (all must exist): none
Declare yt-dlp and ffmpeg as required binaries and use trusted, up-to-date installations.