Safe YouTube downloader — nothing installs on your machine.

Search “free YouTube downloader” on Google. The first ten results are a mix of two things: web tools you visit in the browser, and desktop apps you install. The desktop apps are where the safety problem lives.

Independent malware databases (Malwarebytes Threat Center, Hybrid Analysis, VirusTotal) have flagged at least a dozen well-known “free YouTube downloader” desktop applications as PUP — Potentially Unwanted Programs — over the years. The pattern is consistent: the installer is technically signed, the tool technically downloads YouTube videos, and the installer also bundles:

• A toolbar that hijacks your default search engine.
• A “system optimizer” that finds problems it generated and asks for $40 to fix them.
• A startup item that adds 20 seconds to every boot.
• Sometimes a cryptocurrency miner that runs whenever the CPU is idle.

The agreement that legally permitted all of this was buried in a 6,000-word license that you accepted by clicking Next.

A website cannot install software on your machine. The browser sandbox does not allow it. The worst-case malicious behaviour for a web tool is showing you ads that mimic system dialogs, redirecting you to phishing pages, or serving fake download buttons that link to .exe files (which still need you to click and install).

None of those happen here. We run a single mainstream ad network on the homepage (Google AdSense) instead of the popup-laden multi-network mess most YT-downloader sites ship with. There are no fake download buttons. There is no “install our app for faster downloads” banner. The page does what it says and nothing else.

When you close the tab, every trace of having used VidPickr is gone except the file you saved — same as closing any other website. Your browser’s normal cookies / cache rules apply.

Five things to check on any download tool before you trust it:

1. Is it a website or an installer? If it asks you to download an .exe / .dmg / .deb, treat it as untrusted by default. A web app cannot install malware.
2. Does the page have fake “download” buttons? Multiple green “Download Now” buttons that lead to different sites is the oldest trick in the book. A clean tool has one input and one set of clearly-labelled format buttons.
3. Does it run a popup or new-tab redirect on click? Untrusted tools monetize by selling redirect impressions. Click anywhere on the page; if a new tab opens to a sketchy ad network, that’s a signal.
4. Does the privacy policy actually exist?Look for a footer link to a privacy policy. Read it briefly. Tools without one are operating outside any legal framework you can hold them to.
5. What does VirusTotal say about its installer (if any)? Native YT-downloader apps, even popular ones, often score 5+ detections on VirusTotal. Webtools have no installer to scan, which is a feature.

VidPickr is a single Next.js web app. The server-side code is roughly 800 lines of Go, deployed on a single VPS. It serves only:

• The static homepage and landing pages.
• A small metadata API at /api/info that returns the format list for a YouTube URL.
• Signed time-limited tokens that let your browser fetch bytes directly from YouTube’s CDN.

That is it. The actual video bytes never touch our infrastructure. We have no use for tracking what you download because we never see it. We have no way to bundle malware because there is no installer. The attack surface is what any normal website’s attack surface is, plus a small metadata cache. Nothing about this stack lets us hand you something dangerous.