Is cyberpsychosissss/video-news-downloader safe?

https://github.com/openclaw/skills/tree/main/skills/cyberpsychosissss/video-news-downloader

72
CAUTION

This video news downloader skill provides legitimate functionality for downloading CBS and BBC news videos with AI-powered subtitle correction. However, it introduces concerning automation features including persistent cron jobs, network services, and external AI integration that could be misused.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (5)

MEDIUM Chinese language instruction in skill documentation -15

The skill includes a Chinese instruction '校对字幕文件 /path/to/subtitle.vtt' that directs the agent to proofread subtitle files. This could potentially be used for language-based prompt injection attacks.

HIGH Automated cron job scheduling -30

The skill creates persistent cron jobs that automatically download videos and process subtitles daily at 20:00 Beijing Time. This provides persistence and runs without user oversight.

MEDIUM HTTP server creation -15

The skill starts HTTP servers on ports 8093 and 8095 to serve downloaded video content. This exposes network services that could potentially be misused.

MEDIUM External AI service integration -20

The skill integrates with DeepSeek AI service for subtitle proofreading, which involves sending potentially sensitive subtitle content to external servers.

LOW Potential for misuse of automation features -30

The combination of persistent scheduling, network services, and external AI integration creates multiple vectors that could be misused if the skill were modified or if the external services were compromised.