YouTube Music
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ytmusic Version: 1.0.1 The skill is classified as benign. The `SKILL.md` provides clear instructions for setting up the YouTube Music API, which involves installing a Python library (`pip install ytmusicapi`) and generating an authentication file (`browser.json`) from a cURL command. While the setup process requires the user to handle sensitive authentication data (cookies/tokens in the cURL command), these steps are explicitly for local authentication setup and do not contain any instructions for the AI agent to exfiltrate data, perform unauthorized actions, or engage in prompt injection with malicious intent. The file operations (reading `headers.txt`, writing `browser.json`) are necessary for the skill's stated purpose of managing YouTube Music.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process that can read the generated auth file may be able to act on the connected YouTube Music account.
The setup creates a persistent YouTube Music authentication file from a logged-in browser request. This is expected for ytmusicapi, but it grants access to the user's YouTube Music account and should be handled as a credential.
Authentication file (`oauth.json` or `browser.json`) in the skill folder ... Copy as cURL (bash) ... setup_browser('browser.json', f.read())Use a dedicated or least-sensitive account if possible, store `browser.json` securely, delete `headers.txt` after setup, and revoke/regenerate the credential if it is exposed.
Mistaken use could like/unlike songs, create playlists, or add/remove tracks from playlists.
The documented API calls can modify the user's YouTube Music library and playlists. This is aligned with the skill's purpose, but these are real account mutations.
Add/Remove: `yt.rate_song(videoId, 'LIKE')`, `yt.edit_song_library_status(feedbackToken)` ... `yt.create_playlist(title, description)` ... `yt.remove_playlist_items(playlistId, [videoIds])`
Ask the agent to preview intended changes and confirm before performing playlist or library mutations, especially removals.
A changed or compromised dependency version could affect what code runs locally during use.
The skill depends on installing an unpinned Python package from the package ecosystem. This is central to the stated purpose, but the artifact does not pin a version or provide a lockfile.
`ytmusicapi` package: `pip install ytmusicapi`
Install from the official package source, consider using a virtual environment, and pin a known-good ytmusicapi version if reproducibility matters.