media-downloader
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of the 'yt-dlp' command-line utility via a Python wrapper.
- Ingestion points: The 'scripts/download.py' script accepts a URL and various configuration flags from the user.
- Evidence: The script constructs a command list and executes it using 'subprocess.run(cmd)'.
- Sanitization: By passing the command as a list rather than a single string with 'shell=True', the script effectively mitigates shell injection risks, ensuring that user-provided arguments like the URL or output template cannot be used to execute arbitrary shell commands.
- [EXTERNAL_DOWNLOADS]: The skill is designed to download media content from external sources.
- Evidence: 'SKILL.md' and 'scripts/download.py' describe and implement the use of 'yt-dlp' for fetching video and audio data from remote servers.
- Security Note: This is the primary and intended function of the skill. The tool utilized, 'yt-dlp', is a well-known and trusted open-source project for this purpose.
- [CREDENTIALS_UNSAFE]: The documentation provides instructions for authenticated downloads.
- Evidence: The 'SKILL.md' file includes examples for using the '--cookies-from-browser' flag and placeholders for username and password arguments.
- Security Note: No actual credentials, API keys, or private tokens are hardcoded within the skill's files. The inclusion of these features is a standard capability of the underlying tool to allow users to access their own restricted content.
Audit Metadata