YouTube Uploader
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches YouTube uploading, but it asks for broad, persistent YouTube OAuth authority and auto-installs Python packages, so users should review the scope and token storage before using it.
Only install this if you are comfortable granting a local script persistent OAuth access to your YouTube channel. Use private uploads first, specify the channel explicitly, protect ~/.openclaw/youtube, and revoke the Google OAuth grant if you stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are misused or exposed, they could allow ongoing access to the user's YouTube channel beyond a single upload session.
The script requests broad YouTube account scopes and persists refresh-capable OAuth credentials and the client secret locally. This is high-impact account authority for a skill described as an uploader/thumbnail tool.
SCOPES = ["https://www.googleapis.com/auth/youtube", "https://www.googleapis.com/auth/youtube.upload", "https://www.googleapis.com/auth/youtube.force-ssl"] ... "refresh_token": creds.refresh_token, ... "client_secret": creds.client_secret
Use the narrowest YouTube scopes that support the required actions, declare OAuth credentials in metadata, document revocation/cleanup steps, and require explicit user confirmation before public uploads or channel-changing actions.
A mistaken invocation could publish the wrong video, use the wrong account, or make content public sooner than intended.
The skill can create public or scheduled YouTube uploads and can choose a default authenticated channel when one is not specified. This is purpose-aligned, but it affects a real public account.
--privacy (private/unlisted/public, default private), --publish-at ... --channel-id (uses first channel if omitted)
Confirm the file, title, privacy setting, scheduled publish time, and channel ID before running uploads, especially for public or scheduled videos.
First use may download and execute third-party package code from the Python package ecosystem.
The script automatically creates a virtual environment and installs unpinned Python dependencies. The dependency names are hard-coded and relevant to the YouTube API, but this behavior is not captured by the install spec.
subprocess.check_call([str(venv_python), "-m", "pip", "install", "--quiet", *missing])
Disclose the dependency bootstrap in installation metadata and pin dependency versions or hashes where possible.