Wjs Uploading Video
ReviewAudited by ClawScan on May 13, 2026.
Overview
This skill appears to do what it says—upload selected videos to YouTube—but it needs Google OAuth access and can change your YouTube account.
Install this only if you want an agent-assisted YouTube uploader. Create your own Google OAuth client, protect the cached token file, test batches with --dry-run, and keep uploads unlisted until you have reviewed the video files, titles, descriptions, tags, playlist, and publish settings.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent run with access to this token could upload videos to the connected YouTube account.
The script uses a Google OAuth credential and cached token with YouTube upload authority. That is necessary for the stated function, but it grants account-level upload capability.
SCOPES = ["https://www.googleapis.com/auth/youtube.upload"] DEFAULT_CRED = Path.home() / ".config" / "youtube" / "credentials.json" DEFAULT_TOKEN = Path.home() / ".config" / "youtube" / "token.json"
Use an OAuth client you created yourself, keep ~/.config/youtube/token.json private, and revoke the token in Google account settings if you no longer trust the skill.
A mistaken command or metadata file could upload the wrong videos, publish them publicly, or attach them to the wrong playlist.
The skill can upload, publish, schedule, and add videos to playlists. These are intended YouTube actions and the default is unlisted, but they can affect public account content.
| `--privacy` | `unlisted` | `private` / `unlisted` / `public` | | `--playlist <ID>` | none | Add each uploaded video to a playlist | | `--publish-at <ISO8601>` | none | Schedule publish
Run --dry-run first for batches, keep privacy as unlisted until reviewed, and explicitly confirm any public or scheduled publish settings.
Installing packages without pinning can expose the environment to dependency changes or package-index compromise.
The documented setup installs unpinned packages from the Python package ecosystem, while the registry has no install spec. This is understandable for the integration but leaves dependency provenance to the user environment.
Python deps: `pip3 install google-auth-oauthlib google-api-python-client requests`
Install dependencies in a virtual environment, prefer pinned versions if possible, and use trusted package sources.
A user could become too comfortable bypassing Google OAuth warnings if they do not understand the setup context.
The guide tells users to proceed through Google's unverified-app warning, but it also frames this as safe only for a personal OAuth app the user created.
Google shows a "Google hasn't verified this app" warning — click **Advanced** → **Go to YouTube Upload (unsafe)**. This is normal for a personal OAuth app in Testing mode; you own the app
Only proceed past the warning for an OAuth app you created in your own Google Cloud project; do not do this for an OAuth client supplied by someone else.