Back to skill

Security audit

YouTube Channel Banner

Security checks across malware telemetry and agentic risk

Overview

This skill is a scoped guide for using the yutu CLI to upload YouTube channel banners, with expected OAuth setup and no hidden automation in the artifacts.

Install only if you trust the yutu CLI source. Treat client_secret.json and youtube.token.json as secrets: keep them outside shared repositories, restrict access, add them to .gitignore, and revoke or rotate credentials if exposed. Double-check the channel ID and image before running the upload because it can change a public YouTube channel banner.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The setup guide instructs users to save OAuth client secrets and access tokens locally as `client_secret.json` and `youtube.token.json` but does not warn that these files are sensitive, should be excluded from source control, or stored with restricted permissions. In a CLI skill context, users may follow the instructions verbatim and accidentally expose credentials through repos, backups, logs, or shared working directories, enabling unauthorized access to the linked YouTube account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.