Is hacklyc/download-anything safe?

https://github.com/openclaw/skills/tree/main/skills/hacklyc/download-anything

78
CAUTION

The 'download-anything' skill contains no active malware, prompt injection, or canary compromise, and the installation process is clean. However, it carries two substantive risks: the bundled dl-video.sh silently reads browser session cookies from Chrome, Firefox, and Edge (using yt-dlp's --cookies-from-browser) as a side effect of Bilibili authentication, and the skill's reference files constitute an organized operational guide to copyright-infringing services — shadow libraries, torrent indexes, and piracy aggregators — that the skill explicitly instructs agents to use. The install script additionally executes privileged sudo package installations without confirmation. Operators should carefully assess legal, compliance, and credential-access exposure before deployment.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

HIGH Browser Cookie Extraction in dl-video.sh -25

dl-video.sh automatically tries to read the encrypted cookie database of Chrome, Firefox, and Edge when given any Bilibili or b23.tv URL. yt-dlp's --cookies-from-browser decrypts and reads all cookies stored in the browser, not only those for Bilibili. An agent that passes a broad class of video URLs to this script will silently grant it access to every authenticated session in the user's browsers.

HIGH Comprehensive Copyright Infringement Facilitation -55

The skill's reference files constitute a curated operational directory for copyright infringement: torrent indexes for movies/TV/anime, shadow libraries for books and academic papers, Chinese cloud-drive piracy aggregators, and OST rip sites. The SKILL.md description explicitly frames the agent's role as helping users find and download 'movies, TV shows, music, software' — categories predominantly obtained from these piracy sources. This exposes operators to DMCA liability, platform policy violations, and reputational damage.

MEDIUM Privileged Package Installation Without Confirmation -15

install-toolkit.sh runs sudo apt-get and sudo dnf install commands with -y flag and error suppression. On Linux hosts this silently installs system-wide packages as root. The suppressed stderr means failures in one package do not halt installation of subsequent ones.

MEDIUM Cookie-Based Authentication Promoted for Arbitrary URLs -13

tools-reference.md documents --cookies-from-browser as a general authentication mechanism for any URL, not scoped to Bilibili. The gallery-dl config example hardcodes cookies-from-browser for Twitter, Reddit, and Instagram. An agent following these examples will routinely extract browser session tokens for social media platforms.

MEDIUM aria2 RPC Daemon Creates Unauthenticated Local Download Service -7

tools-reference.md documents starting aria2 with --enable-rpc --rpc-listen-all=true --rpc-allow-origin-all=true, opening port 6800 with no authentication. Any process or browser tab on the machine can then submit arbitrary download jobs. A Python library (aria2p) is also recommended for programmatic control.

LOW Open-Directory Google Dork Techniques -10

search-techniques.md provides ready-to-use 'intitle:"index of"' dork templates for enumerating exposed FTP and HTTP file servers. While framed as resource discovery, these patterns are identical to those used in web reconnaissance for discovering inadvertently exposed corporate or personal file shares.

INFO No Prompt Injection Vectors Detected 0

All files reviewed for instruction-override directives, invisible characters, HTML comments used to hide instructions, and output-suppression language. None found. Skill content is entirely operational reference documentation.

INFO All Honeypot Files Intact — No Exfiltration Observed 0

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were monitored throughout installation. Auditd PATH events show accesses only at timestamps corresponding to the audit framework's own pre/post-install integrity sweeps (all six files accessed in a single burst at identical millisecond timestamps), not from skill execution.