yt-api-cli

clawhub:yt-api-cli

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Binary download and execute EXTDL_007

external-download L18

Detects downloading a binary file followed by making it executable

curl -L -o yt-api https://github.com/nerveband/youtube-api-cli/releases/latest/download + chmod +x

FIX

Pin the download to a specific version tag or commit hash. Verify the downloaded file's checksum before using it. Avoid piping curl output directly to a shell.

FP?

Likely FP if downloading from an official, well-known domain (e.g., deno.land, rustup.rs) with HTTPS, though this pattern remains risky even with trusted sources.

LOW

go install from remote EXTDL_010

external-download L15

Detects go install fetching and compiling arbitrary Go packages

go install github.com/nerveband/youtube-api-cli/cmd/yt-api@

FIX

Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.

FP?

Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.