Back to skill

Security audit

TinkerClaw YouTube

Security checks across malware telemetry and agentic risk

Overview

This YouTube skill mostly does what it claims, but it under-discloses Google OAuth access, personal account data, and persistent token storage.

Install only if you are comfortable granting this skill Google/YouTube account access. Prefer a dedicated Google project or account, review the OAuth consent scopes carefully, avoid account-data commands unless needed, and protect or revoke the local files under ~/.config/youtube-skill. I found no artifact-backed exfiltration, destructive behavior, or hidden background persistence, so this is Review rather than malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises local transcript/download functionality while static analysis detected network and shell-capable behavior without any declared permissions. Undeclared capabilities reduce transparency and can mislead users and host platforms about the actual attack surface, especially because shell execution and outbound network access can be abused for arbitrary command execution or uncontrolled data transfer.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior says the skill avoids API quotas and only interacts locally plus standard YouTube requests, but the analyzed implementation reportedly uses YouTube Data API OAuth flows, accesses authenticated personal account data, and stores local tokens. This mismatch is security-relevant because users may grant access or install the skill under false assumptions, exposing account data and credentials/tokens to software they did not understand to have those privileges.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description emphasizes transcripts, downloads, and exploration, but the code requests broad YouTube OAuth scopes and exposes access to personal account data such as subscriptions, playlists, liked videos, and the user's own channel. This is a scope/transparency mismatch that can mislead users about the level of account access being granted.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents access to sensitive user account data such as subscriptions, playlists, liked videos, and channel information without any privacy warning, consent guidance, or scope minimization. In an agent context, this can lead users to authorize broad data access without understanding that personal account data may be retrieved and processed.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
OAuth credentials are serialized to a local pickle token file without any clear user warning about persistent storage of account access tokens. On shared systems or weakly protected home directories, this can expose long-lived tokens to other local users or malware.

Session Persistence

Medium
Category
Rogue Agent
Content
### 2. Get YouTube API credentials

1. Go to [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
2. Create a project (or select existing)
3. Enable "YouTube Data API v3"
4. Create OAuth 2.0 Client ID (Desktop app)
5. Download JSON → save as `~/.config/youtube-skill/credentials.json`
Confidence
84% confidence
Finding
Create a project (or select existing) 3. Enable "YouTube Data API v3" 4. Create OAuth 2.0 Client ID (Desktop app) 5. Download JSON → save as `~/.config

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.