Add --cookies-from-browser flag for login-walled sources#21
Open
asayeed95 wants to merge 1 commit into
Open
Conversation
yt-dlp can read existing browser session cookies via --cookies-from-browser BROWSER[+KEYRING][:PROFILE][::CONTAINER]. Surface that as a /watch flag so Instagram Reels, private YouTube videos, and some X posts work without a manual yt-dlp invocation. Off by default — public sources are unchanged. - watch.py: new --cookies-from-browser BROWSER argparse flag, passed through to download(). - download.py: download_url() / download() accept cookies_from_browser kwarg and inject "--cookies-from-browser <value>" into the yt-dlp argv. Rejects values starting with "-" to defend against accidental flag injection. CLI entry point accepts an optional 3rd positional arg for parity. - SKILL.md: documents the new flag, updates the "Download fails" recipe to point at it as the documented retry path for login-required sources, and discloses in the Security & Permissions section that cookies are read transiently by yt-dlp — never written, logged, or sent anywhere except the URL's host. - CHANGELOG.md: [Unreleased] entry. Tested end-to-end on https://www.instagram.com/reel/DX9k8WDPZ2D/ — IG blocked the default download path with "login required", retry with --cookies-from-browser chrome succeeded and produced an mp4 + audio that the rest of the watch pipeline consumed normally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Surfaces yt-dlp's
--cookies-from-browserflag through/watchso login-walled sources work without dropping out to a manual yt-dlp invocation. Instagram Reels, private YouTube videos, and some X posts currently fail withRequested content is not available, rate-limit reached or login required— this PR makes the documented yt-dlp workaround available as a first-class flag.Off by default. Public sources are byte-identical to current behavior.
Changes
scripts/watch.py— new--cookies-from-browser BROWSERargparse flag, passed through todownload().scripts/download.py—download_url()anddownload()accept acookies_from_browserkwarg and inject--cookies-from-browser <value>into the yt-dlp argv. The kwarg is rejected if it starts with-to defend against accidental flag injection. The CLI entry point accepts an optional 3rd positional arg for parity.SKILL.md— documents the new flag, updates the "Download fails" failure-mode recipe to point at it as the documented retry path, and discloses in the Security & Permissions section that cookies are read transiently by yt-dlp (never written to disk, logged, or sent anywhere except the URL's host).CHANGELOG.md—[Unreleased]entry.Security notes
-are rejected before invocation, so a caller can't sneak in something like--config-location /etc/passwdas the "browser name."BROWSER[+KEYRING][:PROFILE][::CONTAINER]verbatim — yt-dlp does its own validation of browser names and rejects unknown ones with a clear error.out_dir, not written to logs, not exfiltrated. The user remains signed in to the platform afterwards.Test plan
python3 scripts/watch.py --helpshows the new flag with full help textdownload_url(..., cookies_from_browser='--config-location')raisesSystemExitbefore invoking yt-dlp (flag-injection guard)https://www.instagram.com/reel/DX9k8WDPZ2D/: default path fails with "login required" (current behavior); retry with--cookies-from-browser chromesucceeds and produces an mp4 + audio that the rest of the watch pipeline consumes normally (60 frames extracted, Whisper/Groq transcription returned 28 segments)Why this is in scope for the skill
The existing "Download fails" recipe in
SKILL.mdcurrently tells the agent to give up on login-required content:That's the right behavior when there's no escape hatch — but yt-dlp itself documents
--cookies-from-browseras the canonical workaround. Promoting it to a/watchflag means the agent has the same retry option a human running yt-dlp directly would have, with the security tradeoffs spelled out upfront.🤖 Generated with Claude Code