Back to skill

Security audit

YouTube Activity

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent YouTube activity-listing helper, but it relies on sensitive YouTube OAuth files that users must protect.

Install only if you trust the yutu CLI source. Keep client_secret.json and youtube.token.json private, store them outside shared or source-controlled folders, add them to .gitignore when working in repositories, and revoke or rotate the OAuth token if either file is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup guide instructs users to create and locally store OAuth client secrets and cached access tokens, but it does not warn that these files are sensitive or advise safe handling. In an agent-skill context, users may place these files in working directories, repos, or shared environments, increasing the chance of accidental disclosure and unauthorized access to YouTube account data/actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.