ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouTube 批量发布器

v1.0.0

支持批量上传视频到YouTube,自动设置标题、描述、标签、隐私及自定义缩略图,提供上传进度和状态查询功能。

0· 127·0 current·1 all-time
by@fly3094
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (bulk YouTube uploader) match the included code and SKILL.md: the code implements OAuth, video upload, thumbnail upload, progress reporting, and status queries using the YouTube Data API.
Instruction Scope
Runtime instructions are limited to placing OAuth credentials in a credentials/ folder and running the Python uploader. The code performs only YouTube API operations and local token storage (token.pickle). It opens a local OAuth redirect server for interactive authorization (run_local_server), which is expected for InstalledAppFlow.
Install Mechanism
No install spec is provided (instruction-only), but the package includes Python code that requires Python 3.7+ and specific google-* packages (documented in SKILL.md). The skill does not declare required binaries even though it needs Python and third-party libraries — this mismatch is a usability concern but not an integrity risk by itself.
Credentials
The skill requests no environment variables or external credentials at runtime. It does include a sample credentials/youtube_credentials.json containing a client_id and client_secret — this appears to be a placeholder/test file. Including credential JSON in the bundle is potentially sensitive; the legitimate workflow is to supply your own OAuth client credentials, which is proportional to the skill's purpose.
Persistence & Privilege
The skill does not request elevated or permanent platform privileges (always:false). It stores OAuth tokens locally under credentials/token.pickle, which is normal for OAuth clients. It does not modify other skills or system settings.
Assessment
This skill appears to do what it claims, but check these before installing: 1) Replace the included credentials/youtube_credentials.json with your own OAuth client credentials from Google Cloud (do not use someone else's client_secret). 2) Be aware the tool runs an interactive local OAuth flow (it will open a localhost port) and stores tokens in credentials/token.pickle — protect that file. 3) Install the documented Python dependencies (google-api-python-client, google-auth-httplib2, google-auth-oauthlib) and run with Python 3.7+. 4) Verify the repository/author if you plan to use it in production (the package.json lists an external repo and contact info). 5) If you need non-interactive/CI uploads, implement a service account or proper OAuth flow rather than embedding credentials. If any credential file included looks real or you don't control the OAuth client, treat it as sensitive and do not reuse it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9712zzrs8cpxdgyd4kze6ffkn838hbc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments