ClawHub
Back to skill
v1.0.0

tl_video_downloader

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:16 AM.

Analysis

The video-download function is coherent, but running it can automatically install or upgrade external tools on the machine, so it deserves review before use.

GuidanceInstall only if you are comfortable with the skill automatically installing or upgrading yt-dlp and ffmpeg. Safer use would be to manually install trusted dependencies first, run the skill in a non-privileged environment, and avoid giving it approval to change system packages automatically.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
scripts/main.py
["pip", "install", "yt-dlp", "--upgrade"] ... ["brew", "install", "ffmpeg", "-q"] ... ["apt", "install", "ffmpeg", "-y"] ... ["choco", "install", "ffmpeg", "-y"]

The script installs or upgrades dependencies from external package managers at runtime, with no version pinning and despite the artifact metadata declaring no install spec or required binaries.

User impactA normal download request may pull and run third-party packages or system packages that were not part of the reviewed skill bundle.
RecommendationDeclare dependencies explicitly, pin versions where practical, move installation to a user-approved setup step, and avoid automatic upgrades during normal use.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/main.py
print(f"❌ {pkg_name} 未安装,开始自动安装...")
subprocess.run(install_cmd, capture_output=True, text=True, check=True)

If a dependency is missing, the script automatically runs package-manager commands without a separate user confirmation step for the system-changing action.

User impactThe agent could modify the local software environment when the user only asked to download a video.
RecommendationRequire explicit approval before installing dependencies, prefer user-scoped or virtual-environment installs, and show the exact command before running it.