youtube-downloader

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs copying browser cookies and authentication headers from DevTools into yt-dlp/ffmpeg command lines (e.g., using --cookies-from-browser, --cookies-file, and -headers), which requires embedding session/cookie/token values verbatim in generated commands and thus risks secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches and interprets public, user-generated content from arbitrary third-party URLs (e.g., yt-dlp --dump-json in print_video_info and fetch_oembed_info calling https://www.youtube.com/oembed, plus explicit "Always render the thumbnail" Markdown image rendering), so the agent will read and display untrusted metadata/thumbnails from YouTube/HLS sources that could carry injected instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime installs and starts PO token providers (it runs pip install for packages like bgutil-ytdlp-pot-provider using the PYPI_MIRROR https://pypi.tuna.tsinghua.edu.cn/simple and may docker run brainicism/bgutil-ytdlp-pot-provider), which downloads and executes remote code at runtime and is treated as a required dependency for its default auto PO-token flow.