ClawHub

YouTube Activity

v0.10.7-dev

Manage activities on YouTube. Use this skill to list channel activities. Useful when working with YouTube activity — provides commands to list activity via t...

1· 237·0 current·0 all-time
by@openwaygate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask to manage/list YouTube activities; declared binary (yutu), OAuth client secret, and cached token are appropriate and necessary for YouTube API access.
Instruction Scope
SKILL.md and references only instruct installing/using yutu, creating Google OAuth credentials, and running yutu auth to obtain a token. No instructions to read unrelated files, exfiltrate data, or call unexpected endpoints.
Install Mechanism
Install spec declares an npm package (@eat-pray-ai/yutu) which creates the yutu binary — appropriate for a CLI. Documentation also lists brew/winget/go/release downloads; the install section only includes the node/npm method, a minor inconsistency but not malicious. Installing an npm global package carries the normal supply-chain risk of third-party packages.
Credentials
Required env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN) and config files (client_secret.json, youtube.token.json) map directly to OAuth client secrets and cached tokens needed to access the YouTube API — proportional to the skill's functionality.
Persistence & Privilege
always is false and the skill does not request system-wide config changes or other skills' credentials. Autonomous invocation (model invocation enabled) is the platform default and not a red flag here.
Assessment
This skill appears coherent: it wraps the yutu CLI to list YouTube activities and requires the expected Google OAuth client secret and token. Before installing, verify you trust the @eat-pray-ai/yutu package and its GitHub repo (review code or release artifacts), prefer installation from an official release channel for your platform, and limit OAuth scopes when creating credentials. If you are concerned about npm supply-chain risk, install the binary from an audited release or run in an isolated environment. Do not share your OAuth client secret or token with untrusted sources.

Like a lobster shell, security has layers — review code before you run it.

0.10.6-1vk97243fzcxe2e20tfpd6hnm2sx82rh260.10.6-2vk9798jjk4428kfzvv8tpdr6qxd82r50v0.10.6-3vk97cnyz2a71qn4j00kxt5grd1982sspw0.10.7-devvk9765a9cc8fzcd1fqg1ftyz9s182wqhdlatestvk9765a9cc8fzcd1fqg1ftyz9s182wqhdv0.10.6vk97124ap2gsebeayjsdzpjv1y182s9h6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL

Install

Node
Bins: yutu
npm i -g @eat-pray-ai/yutu

Comments