video-download-assist

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward video-downloader skill that fetches user-provided video links and saves them locally, with normal caution around automatic downloads and disk usage.

Install this only if you want supported video links to trigger local downloads. Watch disk usage for large videos or playlists, install yt-dlp from a source you trust, and only use browser-cookie options when you intentionally want authenticated downloads from your own account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list is very broad and includes generic phrases like '下载这个' and raw domain matches, which can cause the skill to activate on casual mentions or pasted links without a clear, specific download intent. In this skill, unintended activation is more dangerous because activation leads to network access and local file writes, potentially downloading untrusted remote content automatically.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises automatic downloading and saving to a local directory but does not present an up-front warning in the description that using the skill will perform network fetches and write files locally. This weakens informed consent and increases the chance users trigger behavior they did not expect, especially when combined with broad auto-activation triggers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal