Universal Video Downloader
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The downloader mostly matches its stated purpose, but it uses automated browser sessions with cookies and disables browser sandboxing, so it deserves careful review before use.
Use this only if you are comfortable installing third-party downloader/browser automation packages. Prefer a virtual environment and a separate browser profile, avoid using browser mode on untrusted sites, and review the full script before giving it access to logged-in video accounts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may act through an authenticated browser session, potentially accessing account-gated content or causing account activity on video platforms.
The skill says it can use browser session cookies, while the registry declares no required credential and the docs do not bound which profile, cookies, accounts, or sites are used.
**Cookie Support** - DrissionPage mode uses browser cookies for authenticated access
Require explicit consent before browser/authenticated mode, document exactly which cookies or profile are used, and prefer a separate browser profile with only the needed account logged in.
If a visited page is malicious or exploits the browser, the disabled sandbox can reduce containment and increase local-system risk.
The browser automation used for video pages disables Chromium sandboxing before visiting a user-supplied URL, reducing isolation from untrusted web content.
co.set_argument('--no-sandbox') ... page = ChromiumPage(co) ... page.get(url)Avoid disabling the browser sandbox unless strictly necessary, restrict browser mode to trusted sites, and run the tool in a low-privilege or isolated environment.
Installing the skill may fetch and run third-party code or browser components that were not pinned to reviewed versions.
The dependency setup is purpose-aligned, but it relies on unpinned third-party packages and a first-use browser download without version or provenance details.
pip install yt-dlp requests DrissionPage ... Chrome browser will be auto-downloaded on first use
Install in a virtual environment, pin and verify package versions, and confirm the browser download source before first use.