YouTube
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: youtube-api-skill Version: 1.0.5 The YouTube API skill provides a legitimate integration for interacting with the YouTube Data API v3 through the Maton AI proxy service (api.maton.ai). The documentation in SKILL.md clearly outlines authentication via MATON_API_KEY, OAuth connection management, and various API operations like searching, playlist management, and commenting, while explicitly stating that write operations require user approval. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read YouTube account data and, with approval, make changes such as playlist or comment actions on the connected account.
The skill uses delegated access to a user's connected YouTube account. This is expected for the stated purpose, but it gives the skill account-level authority within the stated YouTube resource areas.
Access is scoped to videos, channels, playlists, comments, and captions within the connected YouTube account.
Connect only the intended YouTube account, review the OAuth permissions shown during authorization, and revoke the connection when it is no longer needed.
If approved, the agent could change or delete YouTube resources or post/modify public-facing content such as comments or playlists.
The skill exposes write-capable API operations, but the visible instructions require confirmation before create, update, or delete actions.
All write operations require explicit user approval. Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Approve write actions only after checking the exact account, resource, and effect; be especially careful with delete, bulk, or public posting actions.
YouTube API requests and responses may pass through Maton's service, and Maton manages the OAuth token used for the connected account.
The skill routes YouTube API traffic through Maton's gateway, which becomes a data and authentication boundary between the user/agent and Google.
https://api.maton.ai/youtube/{native-api-path}
Maton proxies requests to `www.googleapis.com` and automatically injects your OAuth token.Use this skill only if you trust Maton to handle YouTube API traffic and OAuth securely; avoid sending unnecessary sensitive data in requests.
Installing the CLI changes the local environment and requires trusting the external package source.
The documentation instructs users to install an external global CLI package. This is central to the skill's workflow, but the artifact does not pin a version or provide package provenance beyond the package names.
npm install -g @maton-ai/cli ... brew install maton-ai/cli/maton
Install the CLI only from trusted package registries, verify the publisher/source, and keep it updated.