Back to skill

Security audit

Universal Video Downloader

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real video downloader, but its browser mode can use authenticated browser state and runs Chromium with reduced sandboxing, so users should review it before installing.

Install only if you are comfortable with browser automation, third-party downloader packages, and possible use of logged-in browser sessions. Prefer a virtual environment, specify an output directory, use a separate browser profile with only the needed video account logged in, and avoid browser mode on untrusted sites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises browser-based downloading, authenticated access through browser cookies, and keyword search/scraping behavior, but does not clearly warn users that account session data, personalized results, or private browsing state may be used. This can lead to unintended use of logged-in identities, leakage of account-linked content access, or privacy surprises when interacting with third-party platforms.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
In search mode, the skill automatically opens a browser, issues outbound requests to Douyin, enumerates search results, and downloads media without an explicit consent or privacy warning at the point of action. This can surprise users and may expose their IP address, browser fingerprint, cookies/session context, and search terms to third-party services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.