Onnex YouTube
Security checks across malware telemetry and agentic risk
Overview
The skill largely matches its YouTube purpose, but it requests broad persistent YouTube OAuth permissions and uses local credential/token handling that is more powerful than its mostly read-only features require.
Install only if you are comfortable granting this skill broad YouTube OAuth access. Consider using a separate Google account or OAuth client, revoke access after testing, and avoid relying solely on the security-review claim. A safer version would use narrower scopes, declare credential requirements clearly, pin dependencies, and avoid pickle for token storage.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you authenticate, the skill may receive broader YouTube account authority than is needed for basic viewing and transcript features.
The script requests broad YouTube OAuth scopes, including scopes that can allow account management, while the visible commands are primarily read/list/search/transcript/download operations.
SCOPES = [
'https://www.googleapis.com/auth/youtube.readonly',
'https://www.googleapis.com/auth/youtube',
'https://www.googleapis.com/auth/youtube.force-ssl'
]Prefer a version that uses the narrowest OAuth scopes needed, such as read-only scopes for read-only commands, and clearly separates any commands that require write/manage permissions.
The skill may reuse local Google/YouTube OAuth configuration that users did not expect it to access.
The script looks for OAuth client credential files in local config directories, including a gogcli path, while the registry metadata says there is no primary credential and no required config path.
CREDENTIAL_PATHS = [
Path.home() / '.config' / 'youtube-skill' / 'credentials.json',
Path.home() / '.config' / 'gogcli' / 'credentials.json',
]Document the exact credential files used, avoid unrelated tool paths unless explicitly requested, and declare credential/config requirements in metadata.
If the local token file is tampered with by another process or attacker, running the skill could execute unintended code.
The script deserializes a local token file with pickle. Pickle can execute code if the file is maliciously modified, making this a riskier token-storage format.
if token_file.exists():
with open(token_file, 'rb') as token:
creds = pickle.load(token)Store OAuth tokens in a safer format such as JSON or a standard keyring, and restrict file permissions on the token directory.
Future dependency updates could change behavior when the script is run, even if the skill file itself has not changed.
The script declares external Python dependencies using lower-bound version constraints rather than pinned versions.
# dependencies = [ # "google-api-python-client>=2.0.0", # "google-auth-oauthlib>=1.0.0", # "google-auth-httplib2>=0.1.0", # "youtube-transcript-api>=0.6.0", # ]
Use pinned dependency versions or a lockfile for reproducible installs.
Users may place more trust in the skill than its requested OAuth authority warrants.
The skill makes strong security-review claims. These may be true, but they are not a technical control and should not override review of the actual permissions and code.
description: "YouTube transcripts, 4K downloads, and video exploration. Onnex-owned fork of youtube-ultimate. Security reviewed before install."
Treat security-review claims as informational and still verify scopes, dependencies, credential paths, and token storage behavior before authenticating.