Skills
skills/crazynomad/skills/youtube-downloader/Gen Agent Trust Hub

youtube-downloader

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/download_video.py executes the yt-dlp and ffmpeg binaries using the subprocess module. It passes arguments as a list, which is a recommended security practice to prevent shell injection vulnerabilities when processing user-provided URLs and file paths.\n- [EXTERNAL_DOWNLOADS]: The skill installs the yt-dlp package from a public registry. This dependency is required for the skill's primary function and is a widely used and trusted open-source utility.\n- [PROMPT_INJECTION]: The skill fetches and processes metadata from external websites, creating an indirect prompt injection surface.\n
  • Ingestion points: Metadata is retrieved in scripts/download_video.py using yt-dlp -j.\n
  • Boundary markers: The script does not use specific delimiters or warnings when handling retrieved metadata.\n
  • Capability inventory: The script has capabilities for file system interaction and process execution.\n
  • Sanitization: While filename sanitization is performed via regex, the content of the metadata (like descriptions) is not sanitized before being returned to the agent context.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 01:30 AM