Is chordlini/dwnldr safe?

The skill embeds a bolded CRITICAL directive instructing the agent to automatically treat any URL from YouTube, TikTok, Instagram, Twitter, Reddit, Twitch, Vimeo, or Facebook as a download request and explicitly prohibits the agent from asking the user for confirmation. This hijacks agent decision-making: a user pasting a URL for research, discussion, or sharing context would trigger an unsolicited download. The use of 'CRITICAL' and 'Do NOT ask' is designed to override any agent safety heuristic that would seek user consent.

Every download, ffmpeg, and delivery command in the skill uses the absolute path /home/rami/.openclaw/workspace/_incoming/ where 'rami' is the skill author's local username. On any other user's system this directory does not exist. The agent would either fail silently, create unexpected directory trees, or attempt to write files to the wrong location. This also inadvertently leaks the skill author's local system username and directory structure.

The error handling table instructs the agent to retry failed age-restricted downloads with yt-dlp --cookies-from-browser chrome. This flag reads the user's Chrome browser profile cookie database directly from disk. It retrieves cookies for all domains the user is authenticated to — not scoped to the target video platform. While these cookies are used locally by yt-dlp for the HTTP request, the agent has no way to scope or audit which cookies are accessed, and yt-dlp itself sends them in Authorization headers to external servers.

Downloaded files are delivered via 'openclaw message send --target ' for Telegram and 'localsend-cli send --to ' for large files. Neither the resolution mechanism for nor is defined in the skill. If the agent infers these from prior conversation context or from content embedded in video titles (a prompt injection vector), files could be routed to unintended recipients. A malicious video title containing Telegram user IDs or device identifiers could redirect delivery.

The skill's description, branding, and metadata-stripping behavior are unambiguously designed to facilitate mass copyright infringement while evading detection. The description advertises 'No traces, no evidence, just pure content booty.' The ffmpeg pipeline strips title, artist, comment, description, source URL, creation date, encoder info, and GPS coordinates — standard anti-forensic practice to defeat content ID systems and watermarking. This exposes users to DMCA liability, ToS termination, and in some jurisdictions criminal copyright charges. The skill supports playlists and 1000+ sites, enabling bulk infringement.

The error recovery table instructs the agent to retry geographically restricted content with yt-dlp --geo-bypass. This flag spoofs the client's geographic location to circumvent content licensing restrictions, which violates the terms of service of every major streaming platform and may constitute unauthorized access under computer fraud statutes in some jurisdictions.

The installation performed a git sparse-checkout of the skill subpath. Only GitHub (140.82.121.4:443) was contacted for the clone. Ubuntu/Canonical servers (91.189.91.48:443, 185.125.188.58/59:443) contacted during install are pre-existing system-level connections unrelated to the skill. No unexpected process spawning, no files modified outside the target directory, and no new listening ports after install.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were accessed at two timestamps: 1771733947 (pre-install audit baseline setup by the oathe infrastructure via sudo) and 1771733964 (post-install canary integrity check by audit process). Neither access is attributable to skill code. All files are unmodified per the integrity report.