YouTube Shorts Agent
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken live upload could publish or modify content on a YouTube channel.
The skill can trigger YouTube uploads, which are high-impact account actions, but the artifact clearly requires user ownership, explicit intent, and final confirmation.
Use only for user-owned channels and media. Never upload without explicit user intent and final confirmation.
Start with connection_status, privacy_audit, manifest, and dry-run workflows, and require a clear final confirmation before any live upload.
OAuth access could allow the tool to act on the connected YouTube account within the granted scopes.
The skill expects access to YouTube-related credentials or token files; this is proportionate to the upload purpose, but users should treat it as sensitive account authority.
Do not print OAuth tokens, API keys, service-account JSON, local token files, or private user data.
Grant only the minimum YouTube scopes needed, keep tokens private, and revoke access if the package is no longer needed.
Users are trusting the current npm package contents, which were not included in the provided artifact set.
The setup downloads and runs an external npm package with automatic yes behavior and no pinned version in the skill artifact; this is normal for MCP setup but depends on npm package provenance.
`npm exec --yes --package=youtube-shorts-agent -- youtube-shorts-agent doctor`
Verify the npm package and repository, consider pinning a trusted version, and review the package before connecting OAuth credentials.