Back to skill

Security audit

YouTube Member

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed YouTube member-listing helper that uses the yutu CLI and expected Google OAuth files, with a credential-handling documentation gap.

Install only if you are comfortable granting yutu access to your YouTube account data for member listing. Keep `client_secret.json` and `youtube.token.json` private, out of source control and shared folders, and revoke or rotate the OAuth token if either file is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup guide instructs users to download OAuth client secrets and store both the client secret and cached OAuth token as local files, but it provides no warning about protecting, excluding, or securing those files. These artifacts can grant access to the user's YouTube account context, so careless storage, sharing, or committing them to source control could expose account access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.