tl_video_downloader
Security checks across malware telemetry and agentic risk
Overview
This video downloader is purpose-aligned, but it automatically installs or upgrades local packages when run without a declared install step or explicit user approval.
Install only if you are comfortable with the skill installing or upgrading yt-dlp and ffmpeg through pip, brew, apt, or choco. Prefer reviewing the script first, installing dependencies yourself, or running it in a contained environment.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can change the user's Python or system package environment before the video is downloaded.
The script installs or upgrades third-party dependencies at runtime from package managers, with no pinned versions, even though the provided metadata declares no install spec or required binaries.
["pip", "install", "yt-dlp", "--upgrade"] ... ["brew", "install", "ffmpeg", "-q"] ... ["apt", "install", "ffmpeg", "-y"] ... ["choco", "install", "ffmpeg", "-y"]
Declare these dependencies in the install metadata, pin versions where practical, and require clear user confirmation before installing or upgrading packages.
A user asking to download a video may also trigger local package-manager commands without a separate approval step.
If a dependency check fails, the script automatically executes the associated install command rather than limiting execution to the user-visible download operation.
subprocess.run(install_cmd, capture_output=True, text=True, check=True)
Separate setup from runtime use, ask before running install commands, and avoid automatic system package installation from a downloader task.