YouTube Channel Section
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a straightforward YouTube CLI wrapper, but it can delete channel sections and uses OAuth credentials, so users should confirm actions carefully.
This appears safe to use if you trust the yutu CLI and intend to manage YouTube channel sections. Keep the OAuth files private, use the least privilege account practical, and manually confirm channel section IDs before allowing any delete command.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the delete command can change the layout/content organization of a YouTube channel and may not be easy to undo.
The skill documents a command that can delete one or more YouTube channel sections. This matches the stated purpose, but it is a destructive account action.
yutu channelSection delete --ids abc123 # Delete multiple channel sections yutu channelSection delete --ids abc123,def456
Only run delete commands for user-specified section IDs, and confirm the target IDs before executing.
Anyone or anything with access to the configured token may be able to perform YouTube API actions allowed by that token.
The skill requires OAuth credentials and a cached token to act against the user's YouTube account. This is expected for the YouTube API but is sensitive authority.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API
Store client_secret.json and youtube.token.json securely, avoid sharing them, and revoke/recreate the token if you no longer trust the environment.
The behavior ultimately depends on the installed yutu CLI, not only on this instruction file.
The skill depends on installing an external CLI package. That is central to the skill's purpose, but the provided artifact set does not include the package code.
install:
- kind: node
package: "@eat-pray-ai/yutu"
bins: [yutu]Install yutu from a trusted source, consider pinning a known version, and review the upstream project if using it with valuable YouTube accounts.