YouTube Music ULTRA
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its YouTube Music purpose, but some scripts build shell commands from user-provided song names or video IDs, which could allow crafted input to run local commands.
Review carefully before installing. The skill's YouTube Music purpose is coherent, but avoid passing untrusted song names, URLs, or video IDs until the shell-command handling is fixed. Use an isolated browser profile and clear the local cache if you do not want search history retained.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted video ID or similar input could potentially run commands on the user's machine instead of only opening YouTube Music.
The script takes a user-supplied video ID and embeds it directly into a shell command executed with execSync, without validating that it is only a YouTube video ID or using a safe argument-array API.
const videoId = args[1]; ... fastExec(`openclaw browser open --targetUrl="${YOUTUBE_WATCH}${videoId}"`);Use execFile/spawn with argument arrays, validate video IDs and URLs strictly, and avoid constructing shell command strings from user input.
Actions may affect the YouTube Music account active in the OpenClaw browser profile.
The skill controls YouTube Music through a browser profile, which may include a logged-in YouTube/Google session and can affect playlists, likes, queue, or playback.
Uses OpenClaw's browser tool with YouTube Music: - Profile: `openclaw` (isolated browser) - Base URL: `https://music.youtube.com`
Use an isolated browser profile for this skill and review account-changing actions such as liking songs or modifying playlists.
Music searches can remain on disk and cached entries could influence later playback behavior.
The skill stores search queries and URLs in a predictable /tmp cache file and may reuse cached data across runs.
const CACHE_FILE = '/tmp/yt_music_v3_cache.json'; ... cache[query.toLowerCase()] = { searchUrl, timestamp: Date.now() }; saveCache(cache);Store cache data in a user-private skill directory with restrictive permissions, validate cache contents before use, and document/offer cache clearing.