The Agent Skills Directory

Dynamic Execution (HIGH): The helper script scripts/download.sh uses eval to execute a shell command constructed from unsanitized user input.
Evidence: In scripts/download.sh, line 131 executes eval $CMD. The variable $CMD is built using $URL (line 128) and $DOWNLOAD_PATH (line 115), both of which are taken directly from command-line arguments without escaping or sanitization.
Risk: An attacker can provide a malicious URL or path containing shell metacharacters (e.g., "; touch /tmp/pwned; #") to execute arbitrary commands on the host system.
Data Exposure & Exfiltration (MEDIUM): The skill instructs the agent to access sensitive browser session data.
Evidence: SKILL.md and README.md repeatedly suggest the use of the --cookies-from-browser chrome flag to bypass YouTube download restrictions.
Risk: This grants the tool access to the user's active login sessions and authentication tokens. While a standard feature of the underlying tool, its use in an automated environment with a command injection vulnerability significantly increases the risk of credential theft.
Unverifiable Dependencies & Remote Code Execution (LOW): The skill relies on external binaries that must be installed by the user.
Evidence: Documentation requires the installation of yt-dlp via pip and ffmpeg via brew or apt.
Risk: While these are legitimate tools, the skill forces dependencies from external repositories which may be updated independently of the skill's security profile.
Indirect Prompt Injection (LOW): The skill processes external URLs which could be provided by untrusted sources.
Evidence: The skill ingests a URL which is then interpolated into a shell command without sanitization.
Boundary markers: None (the script uses quotes which are bypassed by the eval call).
Capability inventory: Shell execution via eval, network access via yt-dlp.
Sanitization: None provided in the shell script.

yt-dlp-downloader