Is apollo1234/yt-dlp-downloader-skill safe?

https://github.com/openclaw/skills/tree/main/skills/apollo1234/yt-dlp-downloader-skill

78
CAUTION

This skill is a legitimate yt-dlp video downloader wrapper with no hidden malicious content, clean installation behavior, and intact canary files. However, it defaults to extracting browser cookies for YouTube authentication (accessing the user's full Chrome cookie database) and requests overly broad 'all' shell permissions, creating a meaningful privacy and security surface that users should be aware of before installation.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Default browser cookie extraction for YouTube -25

The skill instructs the agent to use --cookies-from-browser chrome as the default approach for all YouTube URLs. This causes yt-dlp to read Chrome's entire cookie database to extract relevant authentication cookies. While this is a legitimate yt-dlp feature to bypass YouTube's 403 errors, the user's browser cookie store contains session tokens for every logged-in service (banking, email, social media). The agent will execute this without explicit per-session user consent since the skill marks it as the recommended default.

MEDIUM Overly broad permission request -15

The skill's workflow section requests required_permissions: ["all", "network"]. The 'all' scope grants the agent unrestricted permission to execute any shell command. A video downloader should only require 'network' (for downloading) and 'filesystem_write' (for saving files). The 'all' scope unnecessarily expands the agent's capabilities beyond what the skill functionally requires.

LOW Automatic package installation -10

The skill instructs the agent to install yt-dlp via pip and ffmpeg via brew if they are not already present. While these are legitimate, well-known packages, automatic installation of software expands the system's attack surface and should ideally require explicit user approval.

LOW Cookie extraction combined with broad permissions creates compound risk -10

The combination of default cookie extraction and 'all' permissions means the agent could theoretically access browser cookies and then use those cookies or derived data in arbitrary shell commands. While this skill does not exploit this combination, it creates a risky permission surface that could be leveraged if the skill were modified or if it interacted with other installed skills.

INFO Bilingual trigger phrases broaden activation surface -5

The skill triggers on both English and Chinese phrases ("下载视频", "download video", "B站", "抖音", "提取音频", "extract audio"). While not malicious, this broad trigger set increases the likelihood of unintended skill activation during normal conversations.

INFO Clean installation with no anomalous behavior 0

The git clone and installation process produced no suspicious network connections, no unexpected filesystem changes outside /tmp, and no anomalous process execution. All observed activity corresponds to standard git clone operations and system services.