Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Dl
v1.1.0Download videos from YouTube, Reddit, Twitter/X, TikTok, Instagram, and 1000+ other sites using yt-dlp. Use when user provides a video link and wants to download it.
⭐ 0· 1.3k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (download videos via yt-dlp) matches the provided scripts. However, the SKILL.md and scripts rely on external binaries (yt-dlp, ffmpeg, ffprobe) but the skill declares no required binaries. Also SKILL.md describes a 'Sending to Telegram' workflow which implies sending to an external service, but the included compress-and-send.sh only compresses and prints status — it does not transmit to Telegram. The absence of declared binary requirements and the mismatch about Telegram are incoherent with the metadata.
Instruction Scope
SKILL.md instructs the agent/user to run the included scripts with a URL (and for compression, a CHAT_ID). The scripts operate only on the provided URL/file and write to ~/Downloads/videos (or a user-specified output). They do not read unrelated system files or additional environment variables. The scope is largely limited to downloading and compressing media, but SKILL.md's wording could mislead users into thinking the skill autonomously sends media to Telegram when it does not.
Install Mechanism
There is no install spec (instruction-only skill with two helper scripts). That minimizes install-time risk (nothing downloaded or written by an installer).
Credentials
The skill requests no environment variables or credentials (good). The scripts do access $HOME and look for $HOME/.local/bin/yt-dlp, and write to ~/Downloads/videos by default; these are reasonable for the stated task but should have been declared as required binaries/dependencies (yt-dlp, ffmpeg, ffprobe). No secrets are requested or used.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request permanent presence or attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill largely does what it says (downloads videos using yt-dlp), but check a few things before installing or running it:
- Ensure you have the required binaries installed from trusted sources: yt-dlp, ffmpeg and ffprobe. The skill does not declare these requirements but both scripts call them.
- Note that the SKILL.md suggests a Telegram send flow, but compress-and-send.sh only compresses and prints success; it does not actually upload or notify Telegram. Treat the CHAT_ID parameter as informational only unless you modify the script to perform uploads.
- The scripts write to ~/Downloads/videos by default and will download arbitrary URLs you pass in. Confirm you are comfortable with network downloads and legal/copyright implications for the content you request.
- Because there is no installer, nothing is written to system locations by the skill itself, but the scripts will execute external binaries and write files to your home directory — run them in a controlled environment if you are unsure.
If you plan to use this skill: verify yt-dlp and ffmpeg are installed and up-to-date, inspect or test the scripts locally, and consider running them in a sandbox or container if you are concerned about side effects.Like a lobster shell, security has layers — review code before you run it.
latestvk97dkb3b4hr0xexnjfranqqe2h80ynqp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.