iopho-getting-videos

This skill is functionally coherent and matches its stated purpose (downloading video/audio/subtitles/metadata). It is not directly malicious as presented, but it carries moderate supply-chain and credential exposure risks: it relies on multiple external CLIs and Python packages (un-pinned installs), and it encourages use of --cookies-from-browser which exposes browser session cookies to the downloader. The ability to invoke arbitrary local tools (yt-dlp, ffmpeg, BBDown, lux, you-get, aria2c, python) means a compromised tool or malicious install could execute arbitrary actions and exfiltrate data. Recommended mitigations: prefer pinned/verified installs, avoid sharing browser cookies unless necessary, run downloads in a restricted/sandboxed environment, and audit third-party CLIs before granting the agent execute permissions.