yt-dlp
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script
scripts/download.shuses"$@"to pass all user-provided arguments directly toyt-dlp. Many CLI tools, includingyt-dlp, support flags like--execor--downloader-argsthat allow for arbitrary shell command execution. An attacker could trick the agent into including these flags in the argument list to compromise the host system. - [REMOTE_CODE_EXECUTION] (HIGH): Indirect prompt injection via the command-line interface. Since
yt-dlpis designed to process untrusted external content (URLs), the lack of argument sanitization allows for a 'parameter injection' attack where metadata or URLs provided by a third party could be crafted to include malicious flags. - [EXTERNAL_DOWNLOADS] (HIGH): The documentation in
references/guide.mdandreferences/usage.mdexplicitly recommends an insecure installation method:sudo curl -L [URL] -o /usr/local/bin/yt-dlp && sudo chmod a+rx. This pattern encourages users to execute remote scripts with root privileges without verifying integrity. - [CREDENTIALS_UNSAFE] (MEDIUM): The skill promotes the use of
--cookies-from-browser. While a standard feature ofyt-dlp, in the context of an AI agent, this provides the agent (and potentially a remote attacker via prompt injection) access to the user's active session cookies for various websites. - [INDIRECT PROMPT INJECTION] (HIGH):
- Ingestion points: User-supplied
<URL>and[OPTIONS]inscripts/download.sh. - Boundary markers: None present. User inputs are appended directly to the command string.
- Capability inventory: Full subprocess execution via
yt-dlpwhich itself has command-execution capabilities (--exec). - Sanitization: None. The script does not validate or escape the input arguments before execution.
Recommendations
- AI detected serious security threats
Audit Metadata