yt-dlp

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN: The skill fragment is a legitimate, well-documented helper/installation guide for yt-dlp. There are download/install steps from recognized sources, no credential handling or data exfiltration, and no covert or autonomous actions. The footprint is coherent with enabling legitimate use of the yt-dlp tool. Security risk is medium-low due to standard download/install patterns, but no active remote actions or credential leakage identified. LLM verification: This file is a legitimate, feature-rich documentation for yt-dlp and does not itself contain malicious code. However, it includes several supply-chain and operational security patterns that raise risk if followed without caution: (1) curl-based download-and-execute installation of binaries without integrity verification, (2) examples of unpinned pip installs that are risky in automated contexts, and (3) instructions to use browser cookie exports which can expose session credentials. Recommendati