ClawHub

YouTube Music

v1.0.1

Manage YouTube Music library, playlists, and discovery via ytmusicapi.

4· 2.2k·1 current·1 all-time
by@gentrycopsy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md instructs using the ytmusicapi Python library to manage YouTube Music and playlist/library operations. No unrelated binaries, env vars, or services are requested.
Instruction Scope
Instructions stay within the stated purpose (install ytmusicapi, create browser.json via copied network request, use API calls). However the auth-generation steps require copying browser request headers (containing session cookies/tokens) into headers.txt and converting them to browser.json; that produces sensitive credentials which the skill will store in the skill folder.
Install Mechanism
No install spec in the manifest; SKILL.md recommends 'pip install ytmusicapi', which is an expected and proportionate mechanism. No downloads from untrusted URLs or archive extraction are instructed.
Credentials
The skill requests no environment variables or unrelated credentials. The implicit requirement to create and store browser.json grants the skill the same API access as the logged-in YouTube Music account — appropriate for the feature set but high-value, so treat the file as a secret.
Persistence & Privilege
always is false and model invocation is allowed (the platform default). The skill does not request permanent platform-level privileges or modify other skills' configs.
Assessment
This skill is internally consistent for controlling YouTube Music via ytmusicapi, but its setup requires you to extract browser request headers and create a browser.json file that contains your account authentication data. Before installing: (1) verify the ytmusicapi package source (use a virtualenv and inspect PyPI/GitHub for the package), (2) store browser.json in a safe location and delete it when not needed, (3) consider creating/using a secondary Google account if you want to limit blast radius, (4) never paste headers into untrusted machines or public paste sites, and (5) only grant file-system or skill-level access to this skill/agent if you trust the runtime environment. If you want a less sensitive option, look for an OAuth-based flow or official API methods instead of copying browser headers.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ks81wedryby5wwpg2t0d1n7zyb9q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments