twitter-video-download Security Report — Low Risk | ClawSafe

22 /100

twitter-video-download

Download videos from Twitter/X posts using yt-dlp

A legitimate Twitter video downloader using yt-dlp with good security practices (shell:false, URL validation, filename sanitization). Minor concerns around unpinned dependencies and SSL bypass flag.

Skill Nametwitter-video-download

Duration25.8s

Enginepi

✓

Safe to install

Approve for use with a note to pin yt-dlp to a specific version for production deployments. The `--no-check-certificate` flag usage should be reviewed.

Findings 2 items

Severity	Finding	Location
Low	yt-dlp dependency not version-pinned Supply Chain The SKILL.md instructs `pip install yt-dlp` without specifying a version. This could allow a malicious package update in the future. `pip install yt-dlp` → Use version pinning: `pip install yt-dlp==2024.03.10` or equivalent	`SKILL.md:9`
Low	SSL certificate verification bypass flag present Sensitive Access The script includes `--no-check-certificate` flag for yt-dlp, which could allow MITM attacks when using a proxy. `'--no-check-certificate'` → Remove --no-check-certificate or make it conditional only for specific broken proxy scenarios	`scripts/download.mjs:103`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✓ Aligned	SKILL.md does not explicitly declare subprocess/spawn usage for yt-dlp, though i…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes downloaded video files to specified output path
Network	`READ`	`READ`	✓ Aligned	Downloads video content from Twitter/X URLs only

4 findings

🔗

Medium External URL 外部 URL

https://x.com/username/status/123456789

RELEASE_NOTES.md:74

🔗

Medium External URL 外部 URL

https://x.com/user/status/123456789

RELEASE_NOTES.md:78

🔗

Medium External URL 外部 URL

https://x.com/xxx/status/xxx

SKILL.md:26

🔗

Medium External URL 外部 URL

https://twitter.com/username/status/123456789

SKILL.md:43

File Tree

3 files · 10.0 KB · 372 lines

Markdown 2f · 191L JavaScript 1f · 181L

├─ ▾ 📁 scripts

│ └─ 📜 download.mjs JavaScript 181L · 5.2 KB

├─ 📝 RELEASE_NOTES.md Markdown 110L · 2.4 KB

└─ 📝 SKILL.md Markdown 81L · 2.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`yt-dlp`	`*`	pip	No	Version not pinned - should specify exact version

Security Positives

✓ Uses shell:false in Node.js spawn - prevents shell injection attacks

✓ Implements URL validation limiting to twitter.com and x.com domains only

✓ Applies filename sanitization preventing path traversal attacks

✓ Validates proxy URL format before use

✓ Uses well-known, trusted yt-dlp library (not custom HTTP implementation)

✓ No credential harvesting or environment variable exfiltration

✓ No access to sensitive paths like ~/.ssh or ~/.aws

✓ No obfuscation or encoded execution patterns

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives