← 返回 Skills 市场
422
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install youtube-hq-downloader
功能描述
Youtube Highest Quality Downloader - Download highest quality silent video and pure audio from YouTube, then merge into video with sound
安全使用建议
This skill appears to do what it says (download and merge YouTube video/audio) but take precautions before running: 1) Inspect the code yourself (download.py and download.sh) and confirm you trust the yt-dlp package source. 2) Run the scripts inside an isolated environment (container or VM) rather than as your main user. 3) Do not pass untrusted/remote-provided URLs without sanitizing: the scripts interpolate the URL into shell commands (subprocess.run with shell=True and the bash script), which can allow command injection if an attacker controls the URL. 4) Note the shell script may source another skill's virtualenv ($HOME/clawd/skills/video-subtitles/.venv); verify that venv's contents before allowing it to be sourced. 5) To harden: use subprocess.run with argument lists (no shell=True) or shlex.quote inputs, and prefer to pip-install packages into an isolated venv manually. Also consider copyright/legal issues when downloading YouTube content.
功能分析
Type: OpenClaw Skill
Name: youtube-hq-downloader
Version: 1.0.1
The skill is classified as suspicious due to critical shell injection vulnerabilities in both `download.sh` and `download.py`. In `download.sh`, the `ls ${OUTPUT_NAME}_video.*` command uses an unsanitized user-controlled `OUTPUT_NAME` variable, allowing arbitrary command execution. In `download.py`, the use of `subprocess.run(..., shell=True)` and `os.system()` with f-strings embedding user-controlled `url` and `output_name` variables, even when quoted, presents a high risk of shell injection if the inputs contain malicious characters that can break out of the quotes. These vulnerabilities could lead to arbitrary code execution on the agent's host machine, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration or backdoors), classifying it as a vulnerability rather than malware.
能力评估
Purpose & Capability
Name/description match the included scripts: download.py and download.sh invoke yt-dlp and ffmpeg to fetch highest-quality video and audio and merge them. Requiring yt-dlp and ffmpeg (installed at runtime or system) is coherent. One minor oddity: download.sh checks and sources a virtualenv from another skill path ($HOME/clawd/skills/video-subtitles/.venv), which is not necessary for this skill's stated purpose and is unexpected.
Instruction Scope
SKILL.md and scripts instruct the agent/user to create a venv and pip-install yt-dlp and to run shell commands. The Python and shell scripts call external commands via shell execution and interpolate user-controlled URL/filename values directly into shell command strings (subprocess.run(..., shell=True) and shell scripts). This creates a command-injection risk if input is untrusted. The scripts do not read unrelated system config or environment secrets, but sourcing another skill's venv could execute arbitrary activation scripts from that other skill.
Install Mechanism
There is no formal install spec; the runtime behavior installs yt-dlp into a local venv via pip if not present. Installing from PyPI is common for this use-case but is a higher-risk install vector than using a reviewed system package; users should verify the package and run installs in an isolated environment. No downloads from unknown URLs or extract steps are present.
Credentials
The skill does not request any environment variables, credentials, or config paths. The only file-path interaction is creating an output directory and optionally sourcing a venv. Requested access appears proportionate to the stated function.
Persistence & Privilege
always:false and no modifications to global agent config—reasonable. However, the shell script will create and reuse a .venv inside the skill directory (normal), and it may source a different skill's virtualenv if present, which gives it the ability to execute code from that other skill's environment during runtime (unexpected and worth checking).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install youtube-hq-downloader - 安装完成后,直接呼叫该 Skill 的名称或使用
/youtube-hq-downloader触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fixed: Now downloads highest quality video (not limited to MP4), re-encodes for better compatibility
v1.0.0
Initial release of YouTube Highest Quality Downloader.
- Download the highest quality silent video and pure audio from YouTube.
- Merge downloaded video and audio into a single file with sound using ffmpeg.
- Works independently with no dependencies on other skills.
- Supports both script-based and manual command usage.
- Provides bilingual usage instructions and troubleshooting tips.
元数据
常见问题
Youtube Hq Downloader 是什么?
Youtube Highest Quality Downloader - Download highest quality silent video and pure audio from YouTube, then merge into video with sound. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 422 次。
如何安装 Youtube Hq Downloader?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-hq-downloader」即可一键安装,无需额外配置。
Youtube Hq Downloader 是免费的吗?
是的,Youtube Hq Downloader 完全免费(开源免费),可自由下载、安装和使用。
Youtube Hq Downloader 支持哪些平台?
Youtube Hq Downloader 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Youtube Hq Downloader?
由 accidwar(@accidwar)开发并维护,当前版本 v1.0.1。
推荐 Skills