← Back to Skills Marketplace
422
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install youtube-hq-downloader
Description
Youtube Highest Quality Downloader - Download highest quality silent video and pure audio from YouTube, then merge into video with sound
Usage Guidance
This skill appears to do what it says (download and merge YouTube video/audio) but take precautions before running: 1) Inspect the code yourself (download.py and download.sh) and confirm you trust the yt-dlp package source. 2) Run the scripts inside an isolated environment (container or VM) rather than as your main user. 3) Do not pass untrusted/remote-provided URLs without sanitizing: the scripts interpolate the URL into shell commands (subprocess.run with shell=True and the bash script), which can allow command injection if an attacker controls the URL. 4) Note the shell script may source another skill's virtualenv ($HOME/clawd/skills/video-subtitles/.venv); verify that venv's contents before allowing it to be sourced. 5) To harden: use subprocess.run with argument lists (no shell=True) or shlex.quote inputs, and prefer to pip-install packages into an isolated venv manually. Also consider copyright/legal issues when downloading YouTube content.
Capability Analysis
Type: OpenClaw Skill
Name: youtube-hq-downloader
Version: 1.0.1
The skill is classified as suspicious due to critical shell injection vulnerabilities in both `download.sh` and `download.py`. In `download.sh`, the `ls ${OUTPUT_NAME}_video.*` command uses an unsanitized user-controlled `OUTPUT_NAME` variable, allowing arbitrary command execution. In `download.py`, the use of `subprocess.run(..., shell=True)` and `os.system()` with f-strings embedding user-controlled `url` and `output_name` variables, even when quoted, presents a high risk of shell injection if the inputs contain malicious characters that can break out of the quotes. These vulnerabilities could lead to arbitrary code execution on the agent's host machine, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration or backdoors), classifying it as a vulnerability rather than malware.
Capability Assessment
Purpose & Capability
Name/description match the included scripts: download.py and download.sh invoke yt-dlp and ffmpeg to fetch highest-quality video and audio and merge them. Requiring yt-dlp and ffmpeg (installed at runtime or system) is coherent. One minor oddity: download.sh checks and sources a virtualenv from another skill path ($HOME/clawd/skills/video-subtitles/.venv), which is not necessary for this skill's stated purpose and is unexpected.
Instruction Scope
SKILL.md and scripts instruct the agent/user to create a venv and pip-install yt-dlp and to run shell commands. The Python and shell scripts call external commands via shell execution and interpolate user-controlled URL/filename values directly into shell command strings (subprocess.run(..., shell=True) and shell scripts). This creates a command-injection risk if input is untrusted. The scripts do not read unrelated system config or environment secrets, but sourcing another skill's venv could execute arbitrary activation scripts from that other skill.
Install Mechanism
There is no formal install spec; the runtime behavior installs yt-dlp into a local venv via pip if not present. Installing from PyPI is common for this use-case but is a higher-risk install vector than using a reviewed system package; users should verify the package and run installs in an isolated environment. No downloads from unknown URLs or extract steps are present.
Credentials
The skill does not request any environment variables, credentials, or config paths. The only file-path interaction is creating an output directory and optionally sourcing a venv. Requested access appears proportionate to the stated function.
Persistence & Privilege
always:false and no modifications to global agent config—reasonable. However, the shell script will create and reuse a .venv inside the skill directory (normal), and it may source a different skill's virtualenv if present, which gives it the ability to execute code from that other skill's environment during runtime (unexpected and worth checking).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install youtube-hq-downloader - After installation, invoke the skill by name or use
/youtube-hq-downloader - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Fixed: Now downloads highest quality video (not limited to MP4), re-encodes for better compatibility
v1.0.0
Initial release of YouTube Highest Quality Downloader.
- Download the highest quality silent video and pure audio from YouTube.
- Merge downloaded video and audio into a single file with sound using ffmpeg.
- Works independently with no dependencies on other skills.
- Supports both script-based and manual command usage.
- Provides bilingual usage instructions and troubleshooting tips.
Metadata
Frequently Asked Questions
What is Youtube Hq Downloader?
Youtube Highest Quality Downloader - Download highest quality silent video and pure audio from YouTube, then merge into video with sound. It is an AI Agent Skill for Claude Code / OpenClaw, with 422 downloads so far.
How do I install Youtube Hq Downloader?
Run "/install youtube-hq-downloader" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Youtube Hq Downloader free?
Yes, Youtube Hq Downloader is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Youtube Hq Downloader support?
Youtube Hq Downloader is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Youtube Hq Downloader?
It is built and maintained by accidwar (@accidwar); the current version is v1.0.1.
More Skills