The Agent Skills Directory

REMOTE_CODE_EXECUTION (LOW): The SETUP.md file provides instructions for macOS users to install Homebrew using a piped bash command: curl -fsSL ... | bash. While this is the standard installation method for the Homebrew package manager, the pattern of executing remote scripts directly in a shell is a security risk.
EXTERNAL_DOWNLOADS (SAFE): The skill depends on yt-dlp and ffmpeg. These are widely used, legitimate open-source tools for media downloading and processing.
COMMAND_EXECUTION (SAFE): The scripts/download.py script uses the yt_dlp Python library rather than calling external shell commands for its core logic. It implements multiple layers of protection against filename-based command injection, including a custom sanitize_filename function and the restrictfilenames: True configuration in the library options.
INDIRECT_PROMPT_INJECTION (LOW):
Ingestion points: The skill ingests untrusted metadata (video titles) from YouTube via the yt-dlp library in scripts/download.py.
Boundary markers: Absent; video titles are printed directly to the console output.
Capability inventory: The skill has file-writing capabilities to the user's local directory.
Sanitization: The skill uses regex-based sanitization and library-level flags (restrictfilenames) to ensure that video titles cannot be used to perform directory traversal or unauthorized file-writing operations.

youtube-downloader