A robust CLI wrapper for yt-dlp to download videos, playlists, and audio from YouTube and thousands of other sites. Supports format selection, quality control, metadata embedding, and cookie authentication.
Security Analysis
high confidenceThe skill is internally consistent with its stated purpose — it's an instruction-level wrapper around yt-dlp with no unexpected credential or install demands — though there are a couple of small documentation/packaging gaps you should be aware of before running it.
Name/description match the included files: docs plus a simple wrapper script that calls yt-dlp and ffmpeg. Requested capabilities (download, format selection, metadata, cookies) align with what yt-dlp provides; no unrelated services or privileges are requested.
SKILL.md and references stay on-topic and only instruct use of yt-dlp/ffmpeg and the wrapper script. The wrapper does not read arbitrary files or network endpoints beyond yt-dlp's normal behavior. Note: the script warns to run 'scripts/setup' if yt-dlp isn't found, but no scripts/setup file is included in the bundle — this is a packaging/documentation gap (not evidence of exfiltration).
No install spec in the registry (instruction-only), which minimizes automatic disk writes. The docs recommend installing yt-dlp via pip or package managers and warn against untrusted curl|sh installers. The included references even show a GitHub release URL (a normal source).
The skill requires no environment variables, no credentials, and no config paths. The docs caution about cookie use (which is appropriate) but do not attempt to access browser secrets themselves. This is proportionate to a downloader wrapper.
always is false and model invocation/autonomy is default. The skill does not request permanent presence or modify other skills. No elevated privileges or system-wide config modifications are attempted.
Guidance
This skill is a thin wrapper around yt-dlp and appears coherent. Before installing/using it: 1) ensure yt-dlp and ffmpeg are installed from official sources (pip, your OS package manager, or official GitHub releases) instead of running random curl|sh installers; 2) inspect the bundle (especially scripts/download.sh) — it attempts to use a .venv yt-dlp if present and otherwise calls system yt-dlp; 3) be cautious with cookies: using --cookies-from-browser can expose browser session cookies — prefer exporting a cookies.txt file and review it; 4) note a minor packaging gap: the script mentions 'scripts/setup' but that file is not included, so the script may fail if yt-dlp isn't already available. If you plan to let an autonomous agent use this skill, explicitly restrict use of browser cookies and confirm you trust the agent to run local commands that may write files to your download directory.
Latest Release
v1.0.1
- Added the main download script at scripts/download.sh. - Updated documentation: script usage now references scripts/download.sh instead of scripts/download. - Added a new "Installation & Security" section to SKILL.md, with guidance on installing yt-dlp/ffmpeg and safe cookie handling. - Minor documentation improvements for enhanced clarity and accuracy.
More by @1999AZZAR
Published by @1999AZZAR on ClawHub
