Is mikf/gallery-dl safe?
https://github.com/mikf/gallery-dl/
mikf/gallery-dl is a well-established, legitimate open-source image downloader with no malicious SKILL.md content and no confirmed credential exfiltration. The primary risk vectors are its intentional but powerful postprocessor/exec.py and postprocessor/python.py features, which allow arbitrary shell and Python code execution via config — an attacker who can influence gallery-dl configuration can achieve RCE trivially. Canary files were read prior to the clone operation but with no exfiltration confirmed; timing and read-only access pattern indicate monitoring framework baseline activity rather than the skill itself.
Category Scores
Findings (7)
HIGH Arbitrary shell execution via postprocessor/exec.py -20 ▶
gallery_dl/postprocessor/exec.py provides a documented feature for executing shell commands after each download, configured via gallery-dl's JSON config file. If an LLM agent controls gallery-dl configuration (e.g., writing ~/.gallery-dl.conf), any downstream prompt injection or social engineering can translate directly into arbitrary OS command execution with no additional exploitation steps.
HIGH Arbitrary Python code execution via postprocessor/python.py -8 ▶
gallery_dl/postprocessor/python.py allows execution of arbitrary Python expressions and statements as a post-download hook. Combined with agent tool access (filesystem, shell), a malicious config can achieve full code execution under the agent's process context.
MEDIUM Canary credential files accessed prior to clone -15 ▶
Six high-value credential files were opened and read at 04:25:55, ~6 seconds before any GitHub connection. Files include .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application credentials. All accesses are read-only (CLOSE_NOWRITE) and the canary integrity check confirms no exfiltration occurred. Timing strongly suggests the monitoring framework's baseline hashing, but the access pattern precisely matches common credential harvesting targets and warrants note.
MEDIUM Self-update functionality fetches external code -10 ▶
gallery_dl/update.py implements a self-update mechanism that downloads and applies new versions from external URLs. If gallery-dl is installed as an agent skill and the update endpoint is compromised (or if the agent is instructed to update to a specific version/URL), this path can introduce arbitrary code into the running environment.
LOW Broad authentication credential surface -8 ▶
gallery-dl supports cookies, OAuth tokens, and API keys for ~300 sites including Twitter/X, Instagram, Discord, Patreon, and financial platforms. If an agent configures these credentials and gallery-dl is compromised via config injection, attacker access to session tokens across many services is possible.
INFO SKILL.md is empty — no system prompt injection surface 0 ▶
The SKILL.md file, which would be injected into an LLM agent's system prompt, is completely empty. There are no instructions, persona overrides, hidden directives, or encoded payloads. This eliminates the highest-risk prompt injection vector entirely.
INFO Only expected GitHub network traffic observed 0 ▶
The sole external network connection during the audit window was to 140.82.121.4:443 (GitHub's CDN), consistent with a git clone operation. No connections to unexpected IPs, no DNS queries for suspicious domains, and no new persistent listeners were established.