YouTube Shorts Automation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A video could be uploaded publicly to the user's YouTube channel even if the user tried to choose private or unlisted.
The command accepts a privacy choice, but upload_video hard-codes public visibility and main() never passes args.privacy, so private or unlisted selections are ignored.
parser.add_argument("--privacy", default="public", choices=["public", "private", "unlisted"])
...
"privacyStatus": "public"
...
video_id = upload_video(youtube, args.file, args.title, args.description, tags)Fix the script to pass the privacy argument into upload_video and set privacyStatus from that value; consider defaulting to private or unlisted until the user explicitly approves public publishing.
Anyone or any process that can use the stored token may be able to upload videos to the authorized YouTube account.
The script obtains YouTube upload authority and persists the OAuth token locally for reuse.
SCOPES = ["https://www.googleapis.com/auth/youtube.upload"] ... TOKEN_FILE = SCRIPT_DIR / "token.json" ... TOKEN_FILE.write_text(creds.to_json())
Store token.json securely, authorize only the intended YouTube account, revoke the token if no longer needed, and avoid sharing or syncing the token file.
If enabled, the automation may repeatedly consume Deevid credits and post to YouTube without a fresh manual review each day.
The skill documents optional scheduled daily automation, which can continue generating and uploading content after initial setup.
크론잡으로 매일 자동 실행 가능... 매일 정해진 시간에 isolated session으로 파이프라인 실행.
Only enable cron after testing manually, keep an easy stop/disable path, and use private or unlisted uploads until the daily workflow is reviewed.
Users may need to install dependencies manually and should verify package sources and versions.
The documentation requires external Python packages, but the registry metadata/install spec does not declare or pin them.
Python packages: `google-api-python-client`, `google-auth-oauthlib`
Declare the dependencies in install metadata or a requirements file with pinned versions, and install them from trusted package indexes.