yt-dlp-mcp

The server primarily acts as a wrapper around the `yt-dlp` command-line tool, executed via `_spawnPromise`. Critical security measures include robust URL validation (`validateUrl`), input sanitization (`sanitizeFilename` for file paths, `encodeURIComponent` for search queries), and comprehensive Zod schema validation for all tool inputs (as highlighted in the changelog for v0.7.0), which significantly mitigates command injection risks. Sensitive cookie information is handled through environment variables, with validation for file paths and browser names, and a clear priority system (file over browser). Automatic response truncation (`characterLimit`, `maxTranscriptLength`) is implemented to prevent context overflow in LLMs. The `_spawnPromise` includes error handling for spawning failures. While reliance on an external executable (`yt-dlp`) always introduces a dependency risk, the explicit input validation and sanitization efforts make this server reasonably secure for its intended purpose.