universal-media-downloader

This skill is a legitimate media-downloading assistant that delegates functionality to yt-dlp and optionally ffmpeg. The main security concerns are supply-chain and credential exposure risks: it asks for browser cookies (sensitive), relies on installing/running third-party binaries from PyPI without version pinning or integrity checks, and allows arbitrary network/proxy configuration. These behaviors are explainable by the skill's purpose (accessing gated content) but require careful operational safeguards. If deployed, users and integrators should avoid pasting full browser cookie exports into untrusted environments, prefer least-privilege cookies, pin/verify yt-dlp versions, run downloads in isolated sandboxes, and audit any automated agent behavior that could forward cookies or downloaded files to third parties.