← 返回 Skills 市场
Yt Dlp Download Skill
作者
wangxiaolei
· GitHub ↗
· v1.0.1
· MIT-0
149
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install yt-dlp-download-skill
功能描述
yt-dlp-powered downloader for YouTube, Bilibili, X (Twitter), TikTok/Douyin, and more. Given a video URL, download video (720p/1080p/best), extract MP3/audio...
安全使用建议
This skill appears to do what it claims (use yt-dlp to download media), but it includes a helper script that builds a shell command and runs it via eval without validating URLs. That creates a command-injection risk: a maliciously crafted URL could cause arbitrary commands to run. Before installing or enabling this skill:
- Inspect or replace scripts/download.sh. Prefer invoking yt-dlp with an argument array (no eval) or use bash exec with properly quoted parameters. Validate the URL scheme (http/https) and reject or sanitize unexpected characters (quotes, semicolons, backticks).
- If you still want to use it, do not enable autonomous invocation for this skill (require user confirmation before any download), or run it in a strict sandbox/container.
- Be cautious about the '--cookies-from-browser' behavior: it can access browser cookies if yt-dlp can read them — only use when you understand and consent to that.
- If you lack the ability to audit/patch the script, prefer running yt-dlp manually or using an alternative skill with safer command invocation. If you proceed, apply the minimal-privilege principle and only enable the skill for trusted users/contexts.
功能分析
Type: OpenClaw Skill
Name: yt-dlp-download-skill
Version: 1.0.1
The skill provides legitimate video downloading functionality via yt-dlp but contains a shell injection vulnerability in 'scripts/download.sh' due to the use of 'eval' on unsanitized input variables ($URL and $DOWNLOAD_PATH). While the 'SKILL.md' and 'skill.yaml' instructions explicitly advise the AI agent to validate URLs and avoid arbitrary shell execution, the helper script itself is architecturally flawed. No evidence of intentional malice, data exfiltration, or persistence was found.
能力评估
Purpose & Capability
Name, description, required binaries, and permissions align with a downloader built around yt-dlp and ffmpeg. Requesting shell, filesystem, and network access is expected for downloading and saving media.
Instruction Scope
The SKILL.md instructs the agent to 'validate URL scheme' and 'construct safe commands', but the included scripts/download.sh does not validate or sanitize the URL and uses eval to execute the assembled command string. This mismatch creates a realistic command-injection vector if an attacker or malicious input supplies a crafted URL. The SKILL.md's guidance about avoiding arbitrary shell execution is not enforced by the script.
Install Mechanism
Installers declared (uv package for yt-dlp and Homebrew formula for ffmpeg on macOS) are reasonable and traceable. 'uv' appears to be a package installer (pipx/uv style) rather than an arbitrary URL download. No extracted arbitrary archive URLs or personal servers are used.
Credentials
No environment variables or unrelated credentials are requested. Declared requirements (yt-dlp and optionally ffmpeg) match the stated functionality.
Persistence & Privilege
always is false and the skill has no config paths requiring broad system access. However, the skill is granted shell/filesystem/network permissions (necessary for its function) — combined with the command-execution practice in the script this increases the blast radius if untrusted inputs are processed or the agent is permitted autonomous execution.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yt-dlp-download-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/yt-dlp-download-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Updated description to clarify playlist downloading, subtitle language selection, and automatic audio/video merging.
- Improved clarity around supported sites and output options in metadata and description.
- No changes to core logic or workflow; documentation improvements only.
v1.0.0
- Initial release of yt-dlp-download-skill
- Download videos from YouTube, Bilibili, Twitter/X, TikTok/Douyin, and more via yt-dlp
- Supports video download, MP3 audio extraction, subtitle fetching, and quality selection (720p/1080p/best)
- Includes safety checks for URLs and output paths
- Provides troubleshooting tips for common issues like missing dependencies and video access errors
元数据
常见问题
Yt Dlp Download Skill 是什么?
yt-dlp-powered downloader for YouTube, Bilibili, X (Twitter), TikTok/Douyin, and more. Given a video URL, download video (720p/1080p/best), extract MP3/audio... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 149 次。
如何安装 Yt Dlp Download Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yt-dlp-download-skill」即可一键安装,无需额外配置。
Yt Dlp Download Skill 是免费的吗?
是的,Yt Dlp Download Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Yt Dlp Download Skill 支持哪些平台?
Yt Dlp Download Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 Yt Dlp Download Skill?
由 wangxiaolei(@fatelei)开发并维护,当前版本 v1.0.1。
推荐 Skills