YouTube Caption
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent YouTube caption-management skill, but it needs YouTube OAuth access and can modify or delete captions, so users should review actions carefully.
Install this only if you trust the yutu CLI and are comfortable granting YouTube API access. Before running delete, update, insert, or publish-related commands, verify the target video, caption IDs, and account context, and protect the OAuth token file.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong IDs or account context, captions could be deleted from YouTube videos.
The skill documents commands that can delete multiple YouTube caption tracks. This is purpose-aligned, but destructive account actions should be explicitly intended by the user.
yutu caption delete --ids abc123,def456
Confirm video and caption IDs before delete/update/insert operations, and keep local backups of caption files.
Anyone with access to the cached token may be able to perform YouTube API actions allowed by the granted OAuth scopes.
The skill requires OAuth authorization and stores a cached token so the CLI can act on the user's YouTube account. This is expected for YouTube caption management, but it is sensitive account access.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Use the intended Google account, limit access to the token file, and revoke the OAuth grant if the skill is no longer needed.
The installed yutu CLI will handle credentials and make YouTube API calls, so its provenance matters.
The skill depends on an externally installed CLI binary. That dependency is central to the skill, but the runnable package contents are not included in the provided artifacts.
node | package: @eat-pray-ai/yutu | creates binaries: yutu
Install from a trusted package source, verify the project homepage if needed, and keep the CLI updated from trusted channels.