youtube-downloader
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (LOW): The script automatically installs the
yt-dlppackage from PyPI if it is not found on the system during execution. - Evidence:
subprocess.run([sys.executable, "-m", "pip", "install", "--break-system-packages", "yt-dlp"], check=True)inscripts/download_video.py. - Indirect Prompt Injection (LOW): The skill accepts a URL from the user and passes it to an external tool (
yt-dlp) to fetch metadata and video content. - Ingestion point:
urlargument inscripts/download_video.py. - Boundary markers: None.
- Capability: Executing
yt-dlpto fetch metadata and download files to the local file system. - Sanitization: The script uses
subprocess.runwith a list of arguments (execvp-style) rather than a shell string, which effectively prevents shell command injection via the URL parameter.
Audit Metadata