Is yt-dlp safe?

https://clawhub.ai/joshualim30/yt-dlp

62
CAUTION

This yt-dlp wrapper skill contains no malicious code or prompt injection, but presents significant security surface through its --cookies-from-browser documentation (which could expose all browser session tokens to the agent), its unrestricted pass-through of arguments to yt-dlp (including the dangerous --exec flag for arbitrary command execution), and its .venv binary precedence which creates a supply chain risk. The skill is functionally legitimate but should be used with awareness of these risks.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (9)

HIGH Browser cookie access via --cookies-from-browser -45

The skill documents and encourages use of --cookies-from-browser which grants yt-dlp access to the user's complete browser cookie store. An LLM agent following these instructions could extract session tokens for any authenticated service (banking, email, cloud providers). The SKILL.md even provides the exact syntax. While the skill notes to 'use with caution', an autonomous agent may not exercise such judgment.

HIGH Shell script wrapper passes arbitrary arguments -35

download.sh passes all arguments ($@) directly to yt-dlp, acting as an unrestricted shell command proxy. While yt-dlp itself is a known tool, the script provides no argument validation or sanitization. An agent could be tricked into passing dangerous flags like --exec (yt-dlp supports post-processing exec commands) which would execute arbitrary shell commands.

MEDIUM Unquoted variable expansion in shell script -5

The DEFAULTS variable is expanded without quotes ($DEFAULTS instead of "$DEFAULTS"), which could lead to word splitting issues. Currently low risk since DEFAULTS is hardcoded, but represents poor shell scripting practice in a security context.

MEDIUM Local .venv binary takes precedence over system yt-dlp -15

The script checks for .venv/bin/yt-dlp before the system PATH version. If an attacker can write to the skill's .venv/bin/ directory, they achieve code execution with the user's privileges. This is a supply chain risk if the skill repo is compromised.

MEDIUM yt-dlp --exec flag enables arbitrary command execution -30

While not explicitly shown in the skill, yt-dlp supports --exec flags that execute arbitrary shell commands as post-processing. An agent could be socially engineered into adding --exec to a download command, achieving RCE. The skill's pass-through design ($@) does nothing to block this.

MEDIUM Video title path traversal in output template -15

The default output template uses %(title)s which is attacker-controlled (the video uploader sets the title). Malicious titles containing ../ or special characters could write files to unexpected locations on disk.

LOW Sensitive file reads during install context -25

The monitoring detected reads of .env, .aws/credentials, auth-profiles.json, .profile, and .bashrc during the install phase. These appear to be from the OpenClaw agent runtime bootstrapping rather than the skill itself, but they occur in the skill's install context window.

INFO No prompt injection detected 0

SKILL.md contains no hidden instructions, unicode tricks, HTML comments, persona overrides, or attempts to manipulate the agent beyond the stated media download functionality. The markdown is clean and straightforward.

INFO All canary files intact 0

No honeypot files were accessed or modified during the audit. The skill did not attempt to read or exfiltrate any planted sensitive files.