Security Audit
youtube-downloader
github.com/ComposioHQ/awesome-codex-skillsTrust Assessment
youtube-downloader received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 4 critical, 6 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Unpinned Dependency in Runtime Installation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 16, 2026 (commit ccf6204f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | video-downloader/scripts/download_video.py:16 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | video-downloader/scripts/download_video.py:19 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | video-downloader/scripts/download_video.py:24 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | video-downloader/scripts/download_video.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_video_info'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | video-downloader/scripts/download_video.py:24 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_yt_dlp'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | video-downloader/scripts/download_video.py:16 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'download_video'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | video-downloader/scripts/download_video.py:92 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_yt_dlp'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | video-downloader/scripts/download_video.py:19 | |
| HIGH | Arbitrary File Write via User-Controlled Output Path The `output_path` argument, which defaults to `/mnt/user-data/outputs` but can be overridden by user input, is directly used to construct the output file path for `yt-dlp`. This allows an attacker to specify an arbitrary directory on the filesystem where the agent has write permissions. This could lead to overwriting or creating files in sensitive system directories (e.g., `/etc/`, `/root/`, `/tmp/`), potentially enabling persistence, denial of service, or further compromise of the system. Restrict the `output_path` to a safe, sandboxed directory that is exclusively managed by the agent, such as a subdirectory within `/mnt/user-data/outputs/` or a temporary directory. Implement strict validation to ensure that the provided `output_path` does not escape the intended safe directory (e.g., by checking for `..` or absolute paths outside the sandbox). | Static | scripts/download_video.py:70 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 4 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Unpinned Dependency in Runtime Installation The skill installs the `yt-dlp` package at runtime using `pip install yt-dlp` without specifying a version. This introduces a supply chain risk as a future, potentially malicious or vulnerable, version of `yt-dlp` could be installed, compromising the agent's environment. It also makes the skill's behavior non-deterministic across different runs. Pin the `yt-dlp` dependency to a specific, known-good version (e.g., `yt-dlp==2023.11.16`). Consider using a `requirements.txt` file and installing dependencies during the skill's build process rather than at runtime. | Static | scripts/download_video.py:16 |
Scan History
Embed Code
[](https://skillshield.io/report/79f8b07c74734eea)
Powered by SkillShield