YouTube Channel Banner
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for uploading a YouTube channel banner, but it relies on an external CLI and your YouTube OAuth token, so use it only for channels you intend to modify.
Before installing, make sure you trust the yutu CLI source and understand that it will use your YouTube OAuth authorization to modify a channel banner. Keep the OAuth credential and token files private, and double-check the channel ID and banner image before running the upload command.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong channel ID or image file, it could change the visible banner on a YouTube channel.
The main operation uploads a banner image to a specified YouTube channel, which is a real account/content change.
yutu channelBanner insert --channelId UC_x5XG1OV2P6uZZ5FSM9Ttw --file banner.jpg
Confirm the channel ID, image file, and desired output before running the insert command.
Anyone or anything that can use the cached token may be able to act on the authorized YouTube account within the granted scopes.
The skill depends on OAuth authorization and a cached token that can be used to access the user's YouTube account through the yutu CLI.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Use a trusted machine, keep client_secret.json and youtube.token.json private, grant the minimum needed access, and revoke the token if you no longer need the skill.
The safety of the skill also depends on the authenticity and integrity of the installed yutu package or binary.
The setup guide installs an external CLI from package managers or latest releases; the executable code is not part of the provided skill artifacts.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest
Install yutu only from the official project or package source, prefer pinned or verified versions where possible, and review the upstream project before granting OAuth access.