twitter-video-download 安全扫描报告 — 低风险 | ClawSafe

22 /100

twitter-video-download

Download videos from Twitter/X posts using yt-dlp

A legitimate Twitter video downloader using yt-dlp with good security practices (shell:false, URL validation, filename sanitization). Minor concerns around unpinned dependencies and SSL bypass flag.

技能名称twitter-video-download

分析耗时25.8s

引擎pi

✓

可以安装

Approve for use with a note to pin yt-dlp to a specific version for production deployments. The `--no-check-certificate` flag usage should be reviewed.

安全发现 2 项

严重性	安全发现	位置
低危	yt-dlp dependency not version-pinned 供应链 The SKILL.md instructs `pip install yt-dlp` without specifying a version. This could allow a malicious package update in the future. `pip install yt-dlp` → Use version pinning: `pip install yt-dlp==2024.03.10` or equivalent	`SKILL.md:9`
低危	SSL certificate verification bypass flag present 敏感访问 The script includes `--no-check-certificate` flag for yt-dlp, which could allow MITM attacks when using a proxy. `'--no-check-certificate'` → Remove --no-check-certificate or make it conditional only for specific broken proxy scenarios	`scripts/download.mjs:103`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✓ 一致	SKILL.md does not explicitly declare subprocess/spawn usage for yt-dlp, though i…
文件系统	`WRITE`	`WRITE`	✓ 一致	Writes downloaded video files to specified output path
网络访问	`READ`	`READ`	✓ 一致	Downloads video content from Twitter/X URLs only

4 项发现

🔗

中危外部 URL 外部 URL

https://x.com/username/status/123456789

RELEASE_NOTES.md:74

🔗

中危外部 URL 外部 URL

https://x.com/user/status/123456789

RELEASE_NOTES.md:78

🔗

中危外部 URL 外部 URL

https://x.com/xxx/status/xxx

SKILL.md:26

🔗

中危外部 URL 外部 URL

https://twitter.com/username/status/123456789

SKILL.md:43

目录结构

3 文件 · 10.0 KB · 372 行

Markdown 2f · 191L JavaScript 1f · 181L

├─ ▾ 📁 scripts

│ └─ 📜 download.mjs JavaScript 181L · 5.2 KB

├─ 📝 RELEASE_NOTES.md Markdown 110L · 2.4 KB

└─ 📝 SKILL.md Markdown 81L · 2.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`yt-dlp`	`*`	pip	否	Version not pinned - should specify exact version

安全亮点

✓ Uses shell:false in Node.js spawn - prevents shell injection attacks

✓ Implements URL validation limiting to twitter.com and x.com domains only

✓ Applies filename sanitization preventing path traversal attacks

✓ Validates proxy URL format before use

✓ Uses well-known, trusted yt-dlp library (not custom HTTP implementation)

✓ No credential harvesting or environment variable exfiltration

✓ No access to sensitive paths like ~/.ssh or ~/.aws

✓ No obfuscation or encoded execution patterns