YouTube Comment Moderator
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its YouTube moderation purpose, but it can automatically delete comments or post replies using OAuth and has sensitive OAuth-code handling that users should review carefully.
Install only if you are comfortable giving the skill YouTube OAuth permission to reply to or hide/delete comments. Use monitor or approval mode first, avoid pasting full OAuth callback URLs into chat, protect the saved OAuth token and SQLite database, and do not enable cron or auto mode until dry-run results look safe.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken model classification could delete legitimate comments or post inappropriate replies on the user's channel.
Auto mode performs public account mutations without per-comment review once enabled.
- **auto** — auto-replies to questions, auto-deletes spam/hate
Start in monitor or approval mode, review the dry-run output, require explicit approval for deletes/replies, and limit the video scope before enabling auto mode.
A malicious or manipulative comment could try to influence the classifier and cause unwanted moderation actions.
Untrusted public comment text is inserted directly into the Gemini classification prompt; in auto mode, classification results can drive deletion or reply actions.
f'{j+1}. [id:{c["comment_id"]}] [{c["author"]}] (likes:{c["like_count"]}) {c["text"][:400]}'Treat comment text strictly as data, add prompt-injection-resistant delimiters and validation, and keep destructive actions behind an approval queue or confidence threshold.
If the callback URL is logged or seen by the wrong party before exchange, it could be used to obtain access for YouTube moderation actions.
The callback URL contains an OAuth authorization code; asking users to paste the full URL into chat can expose sensitive authorization material before it is exchanged.
Copy the entire URL from your browser's address bar and paste it back here.
Paste only the OAuth code into a trusted local setup step, avoid sharing the full callback URL in chat, and revoke/re-authorize credentials if exposure is suspected.
Anyone with access to the OAuth token or configured environment could potentially perform moderation actions on the authorized account.
The OAuth scope gives the skill read/write YouTube comment authority, which is expected for replying and deleting but is still a sensitive account permission.
YOUTUBE_SCOPES = [
"https://www.googleapis.com/auth/youtube.force-ssl" # read + write comments
]Use a dedicated Google Cloud OAuth client, authorize only the intended channel owner account, protect the token file, and revoke the token when no longer needed.
Public comment data and author handles are processed by an external AI provider as part of classification.
Comment IDs, author names, and comment text are included in prompts sent to the Gemini API for classification.
f"[{c['comment_id']}] @{c['author']}: {c['text'][:500]}"Confirm this external processing is acceptable for the channel, and avoid sending private or non-public data through the classifier.
Moderation actions may continue in the background until the scheduled job is disabled.
The skill suggests persistent scheduled execution, which is purpose-aligned but can keep moderating after the initial setup.
Optionally set up a cron job to run every 15-30 minutes for ongoing moderation.
If using cron, document the schedule, logs, and stop command, and prefer approval mode for ongoing runs.
Comment history and moderation decisions remain stored locally and could influence later reports or actions.
The skill persists fetched comments, classifications, actions, and reply drafts in a local SQLite database.
CREATE TABLE IF NOT EXISTS comments (... author TEXT, ... text TEXT, ... classification TEXT, ... reply_draft TEXT ...)
Keep the database in a protected location, review retention needs, and clear old data if it is no longer required.