Youtube Analytics
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real YouTube Analytics/Membrane connector, but it can use your YouTube authorization for broad direct API access and account-changing actions without clear guardrails in the provided text.
Use this skill only if you trust Membrane and the Membrane CLI. During OAuth, check the requested scopes, prefer read-only analytics tasks, and require explicit confirmation before any delete, update, comment, channel, or direct proxy request.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change or delete YouTube Analytics resources, or make direct API calls, if the user does not explicitly constrain it.
The skill documents destructive account actions and a raw proxy fallback using the authenticated connection, without showing approval or scoping limits in the provided artifact.
Use action names and parameters as needed. ... | Delete Group | delete-group | Delete a YouTube Analytics group. | ... When the available actions don't cover your use case, you can send requests directly to the YouTube Analytics API through Membrane's proxy.
Require explicit user confirmation for create/update/delete and proxy requests; prefer read-only report actions unless the user specifically asks for a mutation.
Installing and using the skill may authorize Membrane-backed access to YouTube Analytics data and permitted account operations.
The skill relies on delegated YouTube/Membrane authentication and automatic refresh, which is expected for this integration but grants persistent account authority.
Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.
Review the OAuth scopes during connection, use the least-privileged account possible, and revoke the connection when no longer needed.
Users depend on the current npm package and publisher integrity when installing the CLI.
The setup uses a globally installed, unpinned npm package. This is central to the stated purpose, but the exact code version may change over time.
npm install -g @membranehq/cli@latest
Install the CLI only from a trusted source, consider pinning a reviewed version, and verify the package publisher before use.
Connection setup text from the provider could influence agent behavior if followed too broadly.
The skill permits remote connection-state responses to include agent-facing instructions. That can be legitimate setup guidance, but the agent should not treat it as higher-priority than the user's intent.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat provider-returned instructions as untrusted task data and follow them only when they are necessary for the user-requested connection flow.
YouTube Analytics queries, responses, and credential-backed requests may pass through Membrane infrastructure.
The skill routes API traffic through Membrane as an integration gateway. This is disclosed and purpose-aligned, but the provided text does not describe data retention or boundary details.
send requests directly to the YouTube Analytics API through Membrane's proxy
Review Membrane's privacy/security practices and avoid sending unnecessary sensitive data through proxy requests.