ClawHub

Youtube Playlist Handler

v1.0.0

Create and manage YouTube playlists. Use when user wants to create a playlist, add videos to playlists, or manage their YouTube playlists.

1· 1.9k·1 current·1 all-time
by@matejmicek
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the scripts call YouTube APIs to create/list playlists, add/remove videos, list subscriptions and liked videos. However the code requests the broad scope 'https://www.googleapis.com/auth/youtube' (full YouTube access) rather than a more limited scope, which is broader than the narrow 'playlist management' wording might imply.
!
Instruction Scope
SKILL.md instructs running the included Python scripts and mentions token.pickle, but it does not declare the requirement for a credentials.json OAuth client file even though the code exits if credentials.json is missing and requires browser-based OAuth. The code reads/writes token.pickle and credentials.json under the skill directory; that file access is expected for OAuth but is not reflected in the skill metadata/config declarations.
Install Mechanism
No install spec; this is instruction + shipped Python code. There are no external download URLs or install scripts. The only runtime dependency is python3 and standard Google client libraries (imported in the code) which must already be present or installed by the host — no automatic installs are attempted by the skill itself.
!
Credentials
The skill declares no required env vars or config paths, but the code requires a credentials.json file (OAuth client secrets) and will create token.pickle in the skill directory. It also requests a very permissive YouTube scope that allows broad account actions (not just playlist edits). The metadata does not justify or declare these file/credential needs.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It will store an OAuth token (token.pickle) in the skill directory, which is normal for installed OAuth clients but is a persistent local artifact you should be aware of.
What to consider before installing
This skill's code appears to implement the advertised playlist functionality, but before installing: 1) confirm the source/trustworthiness of the skill (homepage is missing and source is unknown). 2) You will need to provide your own Google OAuth credentials.json (the metadata does not list this requirement). The script will open a browser for OAuth and store a token in token.pickle under the skill directory — treat that file as sensitive because it grants API access to your account. 3) Note the OAuth scope is broad (full YouTube access); if you only want playlist edits, consider asking the author to use a narrower scope or inspect the credentials and scopes you grant during OAuth. 4) The package contains duplicate script files; that's likely benign but verify that both files are identical (they are here) and that no hidden/obfuscated code exists. If you need higher confidence, ask the publisher for a verified homepage, a signed release, or a minimal-scope variant that explicitly documents where credentials.json should be placed and what exact permissions are required.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783cjjkqqhn88rr8ev7nnekx80fp70

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binspython3

Comments