Comment by pwdisswordfishy

I would not put it past them. And I'm not sure I trust the yt-dlp team to implement sandboxing securely. The codebase is already full of shortcuts that lead to vulnerabilities like file extension injection.

I mean, this gives me pause:

> Both QuickJS and QuickJS-NG do not fully allow executing files from stdin, so yt-dlp will create temporary files for each EJS script execution. This can theoretically lead to time-of-check to time-of-use (TOCTOU) vulnerabilities.

https://github.com/yt-dlp/yt-dlp/wiki/EJS

TOCTOU from temporary files is a solved problem.