YouTube Ultimate

The skill mixes genuinely local transcript/download functionality with YouTube Data API usage but its description and declared requirements contradict the README and code — it both claims “no credentials” and instructs you to create and store OAuth credentials and tokens with broad scopes.

This skill is not outright malicious but it is internally inconsistent and asks you to do things it claimed it wouldn't. Before installing or running it: - Understand the split: transcripts can be fetched without API keys (youtube-transcript-api) — you can use just that functionality without providing credentials. But search, comments, playlists, subscriptions, and some video details require the YouTube Data API and OAuth credentials; the README and script explicitly implement that flow. - If you must enable API features, review the code (scripts/youtube.py) yourself. Note the OAuth SCOPES include 'youtube' (broad, potentially write-capable) as well as readonly; consider restricting to readonly scopes if you only need read access. - Be aware the tool will store credentials and tokens under ~/.config/youtube-skill (and looks for an unexpected path ~/.config/gogcli/credentials.json). If you provide credentials, they will be written to disk (token.pickle) via pickle — keep that folder protected and consider filesystem permissions. - The skill invokes yt-dlp to download content — that will write files to disk and can execute subprocesses; run in a sandbox/container if you want to limit filesystem/network exposure. - Confirm you trust the source/owner (no homepage, owner unknown). If you only need transcripts, avoid the OAuth setup and only install the transcript-related dependencies. If you need API-backed features, prefer to create OAuth credentials with the minimum scopes, inspect/modify the script to remove unnecessary scopes/paths, and run the skill in an isolated environment. If you want higher confidence that this package is safe, ask the owner for a canonical repository link and a signed release, or request the author to remove broad scopes and to document the exact files that will be written and why.