Multi-Platform Video Downloader
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The downloader mostly matches its stated purpose, but it can automate a browser to bypass site protections and use logged-in browser cookies without clear scoping.
Review before installing. If you use it, run it in an isolated environment or dedicated browser profile, do not expose personal logged-in browser sessions, verify the yt-dlp/DrissionPage dependencies, and only download content you are authorized to access.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The downloader may make requests as a logged-in user, which could expose account-gated content to the tool or trigger account/platform restrictions.
Browser cookies are session credentials. The artifacts do not specify which browser profile or cookies are used, how the user approves that use, or how authenticated access is bounded.
**Cookie Support** - DrissionPage mode uses browser cookies for authenticated access
Use a dedicated browser profile or container, avoid personal logged-in sessions, and require explicit confirmation before any cookie-backed browser mode is used.
Using this mode could violate platform rules, cause rate limits or account challenges, or perform broader automated browsing than the user expects.
The skill documents browser automation specifically to bypass anti-crawl protections and says this path is automatic for one platform, increasing the risk of unintended automated account or network activity.
DrissionPage ... Bypasses most anti-crawl protections ... Used automatically for Douyin
Only use browser mode after explicit user approval, document platform/account risks, and avoid bypassing access controls or anti-automation measures where not permitted.
Dependency or browser-download behavior may change over time, and users are trusting third-party code outside the skill package.
The setup relies on unpinned third-party packages and a runtime browser download. This is expected for the downloader but should be reviewed because the registry has no install spec.
pip install yt-dlp requests DrissionPage ... Chrome browser will be auto-downloaded on first use
Pin dependency versions, provide a reviewed install spec or Dockerfile, and install only from trusted package sources.