Is dimitryvin/video-dl safe?

https://github.com/openclaw/skills/tree/main/skills/dimitryvin/video-dl

83
SAFE

The dimitryvin/video-dl skill is a largely legitimate yt-dlp wrapper that downloads videos from 1000+ sites and provides optional FFmpeg compression for Telegram sharing. The primary concern is a deliberate Telegram exfiltration pathway: the skill instructs agents to run a compress-and-send script and then explicitly send the output file via the agent's own Telegram tools to a CHAT_ID — creating an agent-mediated file forwarding chain that could be abused if the CHAT_ID is manipulated. Canary files were accessed during monitoring but timing and process analysis attributes all reads to the oathe audit framework rather than the skill, and the canary integrity check confirms no exfiltration occurred.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

MEDIUM Telegram CHAT_ID creates agent-mediated exfiltration vector -22

SKILL.md instructs the agent to run compress-and-send.sh with a user-provided CHAT_ID, then explicitly directs the agent to 'Send the resulting -telegram.mp4 file'. This workflow conditions the agent to forward arbitrary local files to a Telegram chat using its own tools. If the CHAT_ID is manipulated (e.g., via a crafted user prompt or secondary injection), the agent would exfiltrate downloaded media — and potentially other files — to an attacker-controlled Telegram bot.

LOW Background nohup process reduces agent transparency -8

The recommended invocation in SKILL.md uses nohup with output redirected to /tmp/compress.log, running compress-and-send.sh detached from the agent's session. The agent cannot observe the subprocess output in real time and may not detect failures or unexpected behavior.

LOW Timing-based file detection in download.sh -5

download.sh identifies the downloaded file by running 'ls -t "$OUTPUT_DIR" | head -1', selecting the most recently modified file in the output directory. If another process writes to ~/Downloads/videos/ concurrently, the wrong file path may be reported to the agent via the MEDIA: marker.

LOW MEDIA: protocol marker conditions agent to act on file path -10

download.sh emits 'MEDIA:' to stdout after download. This non-standard marker is designed to be parsed by the agent runtime, signaling it to take further action (e.g., display, attach, or forward the file). Depending on agent implementation, this could trigger unintended downstream actions beyond what the user requested.

LOW Skill designed for Telegram integration escalates risk when combined with Telegram tools -20

The skill is benign in isolation but explicitly designed to work with a Telegram sending workflow. Any agent environment that also has a Telegram skill, bot token, or send_message tool will have an elevated risk profile when this skill is active. The compress-and-send naming implies a send step that is intentionally delegated to the agent.

INFO GitHub and Ubuntu CDN network activity during install 0

The git clone contacted GitHub (140.82.121.4) as expected. Ubuntu/Canonical CDN addresses (91.189.91.49, 185.125.188.57) were contacted, consistent with background system apt activity unrelated to the skill. No skill-initiated outbound connections detected.

INFO Canary file reads observed but attributed to audit framework 0

Multiple reads of honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were recorded in inotify and auditd logs. Timestamp analysis places the first access batch at 07:19:22 (before the git clone at 07:19:28) and the final batch at ~07:19:38 (post-scan). Process correlation to auditctl/sudo initialization and the audit framework's own canary verification routine is consistent. Canary integrity monitor confirms no exfiltration occurred.