video-download

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can use sensitive browser/session cookies and can unexpectedly fall back from subtitle-only mode into full video download and transcription.

Install only if you are comfortable with a video downloader that can write large media/audio/transcript files locally and can use browser or exported session cookies for authenticated downloads. Do not paste raw cookies or provide browser-cookie access unless you trust the workflow, own the account, and have confirmed the exact target URLs. Treat the current subtitle-only option carefully because failed subtitle downloads can still trigger full video download and transcription.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly performs file reads and writes, including reading cookie files and writing downloaded media, audio, and transcript outputs, yet declares no permissions. Hidden filesystem capabilities reduce transparency and can cause the agent or user to authorize actions they did not expect, especially when sensitive files like browser-exported cookies are involved.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The declared purpose focuses on downloading videos and generating Whisper subtitles, but the documented behavior also includes authenticated downloads using raw cookies, browser cookie extraction, downloading existing subtitles, and fallback behaviors not clearly disclosed. This mismatch matters because it obscures sensitive data handling and can cause the skill to access authenticated content or perform broader actions than a user reasonably expects.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: When `onlysubtitle` is requested, the CLI still falls back to `download_videos()` for any URL whose subtitle download fails. That changes the operation from a narrow subtitle-only action into full media download and possible transcription, which can violate user intent, consume significantly more resources, and create unexpected data retention/network activity.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The function documentation says subtitle-only mode is used for only downloading subtitles, but the actual CLI flow may escalate into full video download fallback. This mismatch is security-relevant because downstream agents or users may trust the documented behavior and pass inputs assuming a reduced-permission, reduced-impact operation.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation text is broad enough to trigger on many generic requests about videos, audio extraction, or transcription. Over-broad matching increases the chance the skill is invoked in contexts where users did not intend downloading, filesystem writes, or authenticated access, creating unnecessary exposure and consent issues.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The output section describes files created on disk but does not clearly warn that media, extracted audio, and subtitles are written locally and that subtitle outputs may be overwritten by default. In an agent context, insufficient disclosure about persistent writes can lead to privacy issues, disk consumption, and accidental data loss.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill supports raw Cookie headers, browser-derived cookies, and cookie files for authenticated downloads without a strong privacy and security warning. Session cookies are highly sensitive credentials; mishandling them can expose user accounts, enable unauthorized access to paid or private content, and encourage unsafe credential transfer into agent workflows.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This documentation explicitly enumerates many extractors that require netrc credentials or cookies and also lists account-scoped endpoints such as history, subscriptions, notifications, favorites, watch-later, and recommended feeds. In a skill whose purpose is downloading media, that materially increases the chance that users or downstream agents will supply sensitive browser cookies or account credentials without clear privacy, authorization, and least-privilege warnings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal