ClawHub

Youtube Playlist Handler

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real YouTube playlist tool, but it needs review because it can access broader YouTube account data and stores a reusable local OAuth token.

Install only if you trust this skill with broad YouTube account authority. Before use, understand that it stores a reusable local token, can modify playlists, and contains undocumented commands that can print liked videos and subscriptions; delete token.pickle or revoke the Google OAuth grant when done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes a Python script that authenticates to YouTube via OAuth and performs remote API operations, which is a network-capable behavior, yet no permissions are declared in the skill metadata. This is dangerous because users and calling agents are not given an accurate trust boundary: the skill can transmit account data and act on a YouTube account without an explicit permission declaration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose is limited to playlist creation and management, but the detected behavior includes additional account-reading and playlist-modifying capabilities such as removing videos, listing playlist contents, retrieving liked videos, and retrieving subscriptions. This mismatch is risky because a user or orchestrating agent may authorize the skill expecting narrow playlist actions, while the implementation may access broader personal YouTube data or perform unexpected modifications.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises playlist management but also exposes commands to enumerate liked videos and subscriptions, which are separate categories of personal account data. This creates scope creep and enables collection of user profile information beyond what a user would reasonably expect from the manifest, increasing privacy risk and the chance of overbroad agent behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The function claims to retrieve watch history, but actually requests liked videos. Mislabeling data access is dangerous because users or orchestration layers may authorize or invoke the function under false assumptions about what private account data is being collected, undermining informed consent and auditability.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a playlist-management tool, but it also includes functions to enumerate liked videos and subscriptions, which are unrelated account-data access paths. This creates over-privileged behavior and unexpected collection of personal user data, increasing privacy risk and violating least-privilege expectations for the stated skill purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can enumerate the user's subscriptions even though the skill description only claims playlist creation and management. Subscription lists reveal behavioral interests and account profile information, so collecting them without a strong product need or explicit disclosure is an unjustified privacy-invasive capability.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The function retrieves the user's liked videos as a proxy for watch history, which is sensitive behavioral data unrelated to basic playlist management. Because this capability is outside the advertised purpose of the skill, it can surprise users and expose personal viewing preferences without clear justification.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The docstring claims to get watch history, but the implementation actually fetches liked videos. This mismatch can mislead reviewers and users about what personal data is accessed, undermining informed consent and making the code's privacy behavior harder to audit accurately.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The OAuth token is serialized to a local pickle file without warning the user, and pickle-based storage is also unsafe because loading a tampered pickle can execute arbitrary code. Local token persistence can expose long-lived account access to other local users, processes, or later compromise of the skill directory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script deletes playlist items immediately once a match is found, with no confirmation, dry-run, or warning. In an agent context, malformed input, prompt confusion, or wrong playlist/video identifiers could cause unintended destructive changes to a user's account content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
OAuth tokens are serialized to a local pickle file without any user-facing notice about persistent credential storage. If the host environment is shared, backed up, or later compromised, stored tokens may allow unauthorized access to the user's YouTube account under the granted scope.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script performs API calls for liked videos and subscriptions without an explicit privacy warning, despite accessing sensitive account-data beyond simple playlist management. Even if technically authorized by OAuth, users may not understand that these features inspect personal preference data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal