ClawHub

YouTube Comment

v0.10.7-dev

Manage YouTube comments. Use this skill to list, create, update, delete, mark as spam, or set moderation status for comments. Useful when working with YouTub...

0· 200·0 current·0 all-time
by@openwaygate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the required binary (yutu), the declared config files (client_secret.json, youtube.token.json), and the operations in SKILL.md. Asking for OAuth client secret and cached token is expected for a YouTube-comments tool.
Instruction Scope
SKILL.md only instructs the agent to call the yutu CLI and to perform OAuth setup that stores tokens locally; it does not request unrelated files, extraneous credentials, or transmission to unexpected endpoints. The provided command examples map directly to the described comment-management actions.
Install Mechanism
Install uses an npm package (@eat-pray-ai/yutu) which is reasonable for providing the yutu binary. npm installs carry moderate risk compared to platform packages; the README also documents brew/winget/go releases but the metadata's install spec only lists the Node package (not a contradiction, just a single declared install path).
Credentials
Required env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN) and config files correspond directly to OAuth client secrets and cached tokens; no unrelated secrets or broad credential requests are present.
Persistence & Privilege
always is false and the skill does not request system-wide or other-skills configuration changes. The only persistence is the normal OAuth token saved by yutu to youtube.token.json, which is explained in the setup guide.
Assessment
This skill is coherent with its purpose, but before installing: (1) verify the npm package and GitHub repo owner (@eat-pray-ai / https://github.com/eat-pray-ai/yutu) to ensure you trust the publisher; (2) prefer installing from an official release (brew/winget/go or GitHub releases) if you want to avoid npm risks; (3) review the yutu README or source if possible; (4) use a least-privilege Google account for OAuth, and be aware the tool will store a local token (youtube.token.json); (5) do not provide unrelated credentials—only YUTU_CREDENTIAL and YUTU_CACHE_TOKEN are required for normal use.

Like a lobster shell, security has layers — review code before you run it.

0.10.6-3vk976kxzh1h35j7q0cwe0s5j58s82r3q00.10.7-devvk97aead6xscc7pcm6x65yj2mzx82xkxvlatestvk97aead6xscc7pcm6x65yj2mzx82xkxv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL

Install

Node
Bins: yutu
npm i -g @eat-pray-ai/yutu

Comments