twitter-media-downloader
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSNO_CODE
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The documentation recommends extracting cookies from the user's browser (e.g., Firefox) to authenticate. Evidence: SKILL.md encourages the use of the --browser flag, which exposes sensitive session tokens to the script environment.
- [NO_CODE] (HIGH): The primary execution logic in scripts/download.py is missing from the repository. Evidence: Documentation describes CLI arguments for a file that does not exist in the bundle.
- [COMMAND_EXECUTION] (MEDIUM): The skill likely spawns subprocesses for gallery-dl and yt-dlp. Evidence: SKILL.md examples show command-line usage that would require shell execution of third-party tools.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on gallery-dl and yt-dlp. Evidence: SKILL.md lists these as requirements.
- [PROMPT_INJECTION] (MEDIUM): The skill processes untrusted content from Twitter URLs. Evidence Chain: (1) Ingestion point: Twitter URLs in SKILL.md. (2) Boundary markers: Absent. (3) Capability inventory: File write and command execution. (4) Sanitization: Unknown due to missing code.
Recommendations
- AI detected serious security threats
Audit Metadata