Skillv1.0.0

ClawScan security

YouTube Upload Videos Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 6:39 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements align with its stated purpose (uploading videos to YouTube via the official API); it requests only what is necessary and contains no obvious incoherent or exfiltrative behavior.
Guidance: This skill appears to do exactly what it says: upload videos via the official YouTube API. Before using it: - Provide your own Google OAuth client_secret.json and keep it private. Do not paste it into public places. - The script will create token.pickle in the current folder which stores OAuth credentials—treat that file as sensitive, restrict its filesystem permissions, and remove it if you suspect compromise. - The script opens a local auth flow (browser/URL) on first run; run this only on a machine you control. - Install dependencies via pip in a virtualenv if you want isolation and to avoid supply-chain surprises. - Review the code yourself if you need stronger assurance (it uses google-api-python-client and only contacts Google APIs). Revoke the OAuth client or token from your Google account if you suspect misuse.

Purpose & Capability: okName/description request uploading to YouTube; required binaries (python3, pip3), instructions to install the google API Python packages, and the included upload.py script all match that purpose. The script uses the YouTube Data API v3 and OAuth 2.0 as claimed.
Instruction Scope: okSKILL.md and README focus solely on uploading videos and the OAuth flow. The runtime instructions require a client_secret.json and run the provided script; they do not instruct reading unrelated files, accessing unrelated environment variables, or sending data to third-party endpoints beyond Google's APIs.
Install Mechanism: noteThis is an instruction-only skill (no automated install spec), but it directs the user to pip3 install standard google-auth packages. That is reasonable for the task; no remote downloads or unusual install actions are present.
Credentials: okNo environment variables or unrelated credentials are requested. The only required secret is the user-provided client_secret.json (OAuth client) and the script saves a local token.pickle for refresh/credentials — both are proportional to obtaining OAuth tokens for YouTube uploads.
Persistence & Privilege: noteThe script persists OAuth credentials to token.pickle in the working directory (expected behavior). Users should be aware this file contains credentials and will persist on disk; the skill does not request broader system persistence or modify other skills.