YouTube Media Downloader

The skill is suspicious due to severe shell injection vulnerabilities in `scripts/batch_download.sh` and `scripts/download_media.sh`. User-controlled input for output directories and filenames (e.g., via `-o` flag or `OUTPUT_FILENAME` argument) is directly interpolated into shell commands (e.g., `yt-dlp`, `ls`, `find`) without proper sanitization, allowing arbitrary command execution. Additionally, both scripts automatically download and execute external binaries (`yt-dlp` from `github.com/yt-dlp` and `ffmpeg` from `github.com/BtbN/FFmpeg-Builds`) from the internet, posing a significant supply chain risk if these external sources were compromised.