YouTube Media Downloader

Security checks across malware telemetry and agentic risk

Overview

This YouTube downloader does what it advertises, but it automatically downloads and persists executable tools from GitHub without pinning, checksum verification, or a separate opt-in step.

Install only if you are comfortable with the skill downloading and keeping yt-dlp and ffmpeg executables in your home directory. Safer use would be to preinstall trusted, pinned versions of those tools yourself, review the scripts before running them, choose output folders deliberately, and use playlist limits to avoid large disk or bandwidth usage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises executable shell-based behavior but does not declare permissions, which weakens the trust and consent boundary for users and any orchestrator enforcing least privilege. In this context, the risk is amplified because the documented workflow performs file writes and dependency installation, both of which are materially sensitive operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill description focuses on media downloading, but the technical notes disclose automatic installation of yt-dlp and ffmpeg from GitHub, which is a materially different and more sensitive behavior involving remote code/binary retrieval and execution. That mismatch can mislead users and security controls, creating supply-chain and arbitrary-code-execution risk if the fetched artifacts are compromised or spoofed.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script goes beyond its stated purpose of downloading YouTube media by automatically installing yt-dlp and ffmpeg, changing PATH, and writing binaries into the user's home directory. That broadens the skill's capabilities and trust boundary without explicit consent, creating supply-chain and unwanted system modification risk.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Automatically downloading executables from the network and executing or relying on them is a real security issue for this skill. If the remote source, transport, release asset, or local environment is compromised, the user may run attacker-controlled code, which is disproportionate to a simple media downloader's expected behavior.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script silently expands its behavior from downloading YouTube media to downloading and installing executable binaries from GitHub into the user's home directory. This creates a software supply-chain risk: if the downloaded binaries or release channel are tampered with, the user will execute attacker-controlled code, and the behavior is not clearly constrained or justified by the stated skill purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill retrieves executable tools from the network and makes them runnable without integrity verification or strong user consent. Because the script then relies on those binaries for subsequent execution, a compromised download path, malicious release artifact, or unexpected binary replacement could directly lead to remote code execution in the user's environment.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation language is broad enough to match many generic requests about saving or archiving content, which can cause the skill to trigger in situations where the user did not intend local downloads or bulk operations. In a shell-capable skill that writes files and may fetch dependencies, overbroad routing increases the chance of surprising or unsafe execution.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation does not prominently warn that it writes files locally and can perform bulk downloads, reducing informed consent and increasing the likelihood of unexpected disk usage, network usage, and potentially large-scale content retrieval. This is more dangerous here because the skill supports playlists, batch files, and resumable downloads, which can magnify impact quickly.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script silently downloads yt-dlp into the user's home directory when it is missing, with no warning in help text and no confirmation prompt. This undermines informed consent and exposes users to unreviewed code retrieval and execution paths they did not ask for.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The ffmpeg bootstrap path silently downloads, extracts, and installs a remote archive into the user's home directory, then modifies PATH for later use. This is risky because archive extraction and executable installation from the network can introduce supply-chain compromise or unexpected host modification without user awareness.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script installs yt-dlp and ffmpeg with only informational status messages, so users may not realize the skill is modifying their system and introducing new executables. In the context of an agent skill, undisclosed installation behavior is especially risky because it exceeds normal expectations for a downloader and reduces informed consent around supply-chain and persistence risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal