ClawHub

YouTube Activity

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a straightforward YouTube activity-listing wrapper, but it needs a YouTube OAuth token and an external CLI install, so users should verify the tool and credential scope.

This appears safe for its stated use of listing YouTube activity. Before installing, confirm you trust the `yutu` CLI source and protect the OAuth credential and token files because they can grant access to your YouTube account data.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone or anything with access to the configured token may be able to access YouTube account data according to the granted OAuth permissions.

Why it was flagged

The skill requires OAuth-based access to the user's YouTube account. This matches the stated YouTube activity-listing purpose, but OAuth tokens are sensitive delegated authority.

Skill content
requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API
Recommendation

Use a dedicated Google OAuth client where possible, grant only the scopes needed by `yutu`, keep `client_secret.json` and `youtube.token.json` private, and revoke the token if no longer needed.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the external CLI gives that software local execution capability on the user's machine.

Why it was flagged

The setup directs users to install an external CLI through package managers or a release binary. This is central to the skill's purpose, but it means users rely on that external package's provenance and integrity.

Skill content
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Recommendation

Install `yutu` only from the expected official project or trusted package manager, review the project if needed, and avoid untrusted mirrors or unexpected binaries.