yt-dlp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt demonstrates and encourages passing usernames/passwords and cookies directly on the command line (e.g., -u user -p pass, --username/--password, --cookies), which requires embedding secret values verbatim in generated commands and is an insecure credential-handling pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directs yt-dlp to download and extract metadata from arbitrary public URLs (e.g., examples like "yt-dlp https://url", "--dump-json", "--get-description"), which ingests untrusted, user-generated content from sites such as YouTube and other public websites.