YouTube Channel
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for managing YouTube channel metadata, but it uses YouTube OAuth credentials and can change public channel information, so updates should be reviewed before execution.
Install this only if you trust the yutu CLI source and are comfortable granting it YouTube API access. Protect the OAuth credential and token files, and require explicit review before any channel update command changes public channel metadata.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An incorrect or unintended update command could change visible YouTube channel information.
The skill documents commands that can update channel fields such as description, title, country, default language, and custom URL. This is aligned with the skill purpose, but it can change public channel metadata.
yutu channel update --id UC_x5XG1OV2P6uZZ5FSM9Ttw --description 'New description'
Before running update commands, confirm the target channel ID and exact metadata changes with the user.
Anyone or any process with access to the cached token may be able to act on the connected YouTube account within the granted permissions.
The skill requires OAuth authorization and stores a cached token for later YouTube API access. This is expected for the integration, but the token is sensitive account authority.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Keep client_secret.json and youtube.token.json private, use the minimum needed OAuth access, and revoke or delete the token when no longer needed.
The behavior ultimately depends on the installed yutu binary and its source integrity.
The skill relies on an external CLI installed from package managers or latest release binaries. This is purpose-aligned, but the executable code is not included in the provided artifacts.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install yutu from a trusted source, consider pinning a version, and verify the package or release provenance before using it with YouTube credentials.