YouTube Shorts Automation
v1.0.0YouTube Shorts 자동 생성 및 업로드 파이프라인. Deevid AI Agent로 이미지→영상(BGM+음성 포함) 생성 후 YouTube에 업로드. 크론잡으로 매일 자동 실행 가능. Use when generating short-form vertical videos, creating AI-generated video content, uploading to YouTube Shorts, or automating daily video content pipelines.
⭐ 4· 1.7k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included upload script and Deevid-based workflow. Minor inconsistencies: SKILL.md mentions optional Telegram delivery and cron payload contents, but there is no Telegram integration code or declared config for that. Overall functionality (image→video via Deevid, upload via YouTube API) is coherent.
Instruction Scope
Runtime instructions require obtaining images from Deevid, generating videos with Deevid Agent, downloading via CDN URLs, then running the provided Python upload script. However the docs explicitly tell users to include the '전체 워크플로 설명 + 환경 경로' in the cronjob payload — advising to include environment paths in payloads can expose sensitive data. The SKILL.md also references local files (client_secret.json and token.json) but those files are not declared in metadata. Instructions are otherwise specific and not overly broad, but the cron/payload guidance is risky and unnecessary.
Install Mechanism
No install spec — instruction-only with a small helper script. No network download/install of third-party code during installation. This is low-risk from an install-mechanism perspective.
Credentials
Metadata lists no required env vars or credentials, yet the instructions require OAuth credentials (client_secret.json) and write a token.json in the script directory. Those credentials (and token.json storage) are not declared in the registry metadata. The YouTube OAuth scope requested in the script is limited to youtube.upload, which is appropriate, but undeclared credential requirements and advice to include environment paths in cron payloads are disproportionate and could leak secrets.
Persistence & Privilege
The skill is not always:true and does not request elevated persistence. It writes token.json to its own script directory as part of normal OAuth flow (expected). Suggestion to run as a cron job is normal for automation but increases exposure if credentials/payloads are mishandled.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode-control-character patterns flagged by the pre-scan. This looks like a prompt-injection marker embedded in the textual instructions; it is not required for YouTube/Deevid functionality and should be removed or inspected. Presence is suspicious but not proof of malicious intent.
What to consider before installing
This skill largely implements a coherent image→video→YouTube workflow and includes a usable upload script, but there are a few red flags to address before installing: 1) The skill's registry metadata lists no required credentials yet the instructions require Google OAuth client_secret.json and will write token.json (containing tokens) to the script folder — make sure you create the OAuth client yourself in Google Cloud and store client_secret.json securely, and run the script in an isolated directory. 2) Do NOT include full environment paths or secrets in any cronjob payloads; the SKILL.md's suggestion to include 'environment paths' in the cron payload risks leaking sensitive data. 3) The SKILL.md contains a prompt-injection artifact (unicode-control-chars); sanitize the file and confirm the text hasn't been tampered with. 4) There is no Telegram integration code despite mention — if you need Telegram delivery, implement and inspect that integration yourself. 5) Run the upload script locally first to confirm OAuth behavior and token storage; consider using a dedicated Google account with minimal permissions and rotate credentials after testing. If you need higher confidence, ask the publisher for a homepage/source, an explicit manifest declaring required config files, and clarification on the cron payload format and any optional external endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk973145ek8r0zwtye6h70q4tvh812dm8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.