ClawHub

YouTube API CLI

v1.0.2

Manage your YouTube account from the command line. Complete CLI for YouTube Data API v3 - list/search videos, upload, manage playlists, and more.

3· 2.6k·7 current·9 all-time
by@nerveband
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, listed commands, and declared required env vars (YT_API_AUTH_TYPE, YT_API_CLIENT_ID, YT_API_CLIENT_SECRET) all match a CLI that wraps the YouTube Data API. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md contains typical install and usage instructions (go install or GitHub release download), config file layout (~/.yt-api/config.yaml) and token storage (~/.yt-api/tokens.json). It also documents additional optional env vars (YT_API_OUTPUT, YT_API_CREDENTIALS) that were not listed in requires.env — this is reasonable but a minor mismatch to note. Instructions do not request reading unrelated system files or exfiltrating data.
Install Mechanism
The skill is instruction-only (no install spec in registry). The README suggests installing via `go install` or downloading releases from GitHub, which is an expected/traceable source. Downloading and running binaries carries normal operational risk — verify the release and checksum before use.
Credentials
Requested env vars are limited and appropriate for OAuth/service-account usage. Storing client_id/client_secret and tokens locally (as documented) is expected for this tool; be aware these secrets are sensitive and should be protected (0600 is recommended for tokens).
Persistence & Privilege
Skill does not request elevated or persistent platform-wide privileges. always is false and the tool stores credentials under its own config directory (~/.yt-api). It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to be what it claims (a YouTube Data API CLI). Before installing: 1) Verify the upstream GitHub repository and releases (owner, commit history, signed tags or checksums) since the registry metadata lacks a homepage; 2) Prefer building from source (go install) if you don't trust a release binary; 3) Protect OAuth client_secret and tokens (store config/tokens with restrictive permissions and avoid committing them); 4) If using service-account credentials, ensure the key file is stored securely and has least privilege; 5) Be cautious when running downloaded binaries (scan them, validate checksums). If you need higher assurance, request the repository URL/commit checksum from the publisher or inspect the source before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk976t9h9x008j3v2mk6qvmhd29801naa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

▶️ Clawdis
OSmacOS · Linux
EnvYT_API_AUTH_TYPE, YT_API_CLIENT_ID, YT_API_CLIENT_SECRET

Comments