video-download
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: video-download Version: 0.1.6 The skill provides a wrapper for `yt-dlp` and `faster-whisper` that includes high-risk capabilities, specifically the ability to extract session cookies directly from local browser profiles (e.g., Chrome, via the `cookiesfrombrowser` parameter) and accept arbitrary cookie files. While these are legitimate features of `yt-dlp` used to bypass anti-bot measures on video platforms, they represent a significant attack surface for credential theft or session hijacking if the AI agent is manipulated via prompt injection. The script `scripts/video_parser.py` also allows specifying an arbitrary output directory, which could lead to unauthorized file writes, although it does implement basic sanitization for video titles to prevent simple path traversal.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent may use login cookies for video sites. A raw Cookie header may also be applied broadly during downloads, which could expose session material to unintended requested sites or dependencies.
The code can pass a raw Cookie header, browser cookie source, or cookie file into yt-dlp, enabling authenticated requests using local session material.
if cookie: base_opts["http_headers"] = {"Cookie": cookie} ... if cookiesfrombrowser: base_opts["cookiesfrombrowser"] = (cookiesfrombrowser,) ... if cookiefile: base_opts["cookiefile"] = cookiefileUse authenticated options only when necessary. Prefer a temporary, site-specific cookie file over whole-browser cookie access, and confirm the URL list and account scope before running.
Installing or running the skill may fetch external packages and large AI model files, which can affect security, reproducibility, bandwidth, and disk usage.
The skill depends on unpinned third-party Python packages and a model download. This is expected for video downloading and transcription, but it expands the trusted supply chain.
pip install yt-dlp yt-dlp-ejs ffmpeg-python faster-whisper tqdm ... The first run will download models from HuggingFace
Install in a virtual environment, review package sources, consider pinning versions, and ensure you trust the model download location.
The skill can create folders and save large video, audio, and subtitle files in the chosen output directory.
The skill performs network downloads and local file writes as its core function. This is purpose-aligned, but users should notice the disk and file-system impact.
The skill will: 1. Create a folder for each video ... 2. Download the video file ... 3. Extract audio as WAV file ... 5. Save subtitle as .txt file
Use a deliberate output path, avoid protected or shared directories unless intended, and monitor disk space for large or multiple downloads.