Is video-transcript-downloader safe?

https://clawhub.ai/steipete/video-transcript-downloader

85
SAFE

This skill is a straightforward video transcript and download utility wrapping yt-dlp and a YouTube transcript API. The code is clean, single-purpose, and contains no prompt injection, data exfiltration, or hidden behavior. The primary concern is the yt-dlp argument passthrough mechanism (--) which could theoretically allow arbitrary command execution via yt-dlp's --exec flag if an agent were to pass attacker-controlled arguments, though this is a low-probability scenario in normal use.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM yt-dlp argument passthrough allows arbitrary flags -15

The -- passthrough mechanism forwards all subsequent arguments directly to yt-dlp. The yt-dlp tool supports an --exec flag that executes arbitrary shell commands after download. If an agent constructs a command with attacker-controlled extra args, this could lead to arbitrary command execution. In practice, this requires the agent to intentionally or accidentally pass --exec, which is unlikely but possible.

LOW Child process spawning via spawn() -8

The script spawns yt-dlp and ffmpeg as child processes. This is expected for a video downloader but means the skill has shell-level execution capability. The spawn() calls use array-based arguments (not shell: true), which mitigates shell injection risks.

LOW User-supplied URL passed to external tools -5

The --url parameter is passed directly to yt-dlp and youtube-transcript-plus without sanitization beyond basic presence checks. While these tools are designed to accept URLs, a crafted URL could potentially trigger unexpected behavior in yt-dlp's URL handling.

INFO Single pinned dependency with integrity hash 0

The package-lock.json pins [email protected] with a sha512 integrity hash, reducing supply-chain risk. No install scripts detected.

INFO Filesystem activity is from platform runtime, not skill 0

The .env, .aws/credentials, .openclaw/ reads visible in filesystem monitoring are from the OpenClaw agent platform startup sequence, not from the skill code. The skill itself performs no filesystem reads during installation.