ClawHub

YouTube Comment Thread

v0.10.7-dev

Manage YouTube comment threads. Use this skill to list or insert new top-level comment threads. Useful when working with YouTube comment thread — provides co...

0· 195·0 current·0 all-time
by@openwaygate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (yutu), required env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN), and config paths (client_secret.json, youtube.token.json) all match the stated purpose of using the yutu CLI to access the YouTube API.
Instruction Scope
SKILL.md and the reference docs instruct only on installing/authenticating yutu and running commentThread list/insert commands. The instructions reference only the declared env vars and files and do not ask the agent to read unrelated files, contact unexpected endpoints, or exfiltrate data.
Install Mechanism
Install uses a public npm package (@eat-pray-ai/yutu) to provide the yutu binary which is appropriate for a CLI wrapper. Installing npm packages has normal supply-chain risk (packages execute code during install), so verify the package provenance and prefer official releases via your platform's package manager or the project's GitHub releases if available.
Credentials
Requested env vars and files are proportional to the task: OAuth client secret and cached token are required to authenticate with YouTube and to post/list comments. These are sensitive credentials that grant permission to act on the user's YouTube account and should be protected.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide configuration changes or other skills' credentials. It will rely on the yutu CLI and standard OAuth token files—no elevated platform privileges are requested.
Assessment
This skill appears to do what it says, but take these precautions before installing: 1) Verify the '@eat-pray-ai/yutu' package and GitHub repo (release page, maintainer reputation) before npm installing; 2) Inspect the package contents or prefer installing from an official release/binary channel if you cannot audit the package; 3) Treat YUTU_CREDENTIAL and YUTU_CACHE_TOKEN (and client_secret.json / youtube.token.json) as sensitive—use least-privilege OAuth credentials and revoke tokens if you suspect misuse; 4) If you only need read-only access, create OAuth credentials scoped accordingly; 5) Run installs in an environment where you can control and monitor network and file writes (or use a disposable account) if you have supply-chain concerns.

Like a lobster shell, security has layers — review code before you run it.

0.10.6-3vk97814xww7zjh7gv9mekxkmz5182rccc0.10.7-devvk97d6htjer067t7970bse2rg4182x7f7latestvk97d6htjer067t7970bse2rg4182x7f7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL

Install

Node
Bins: yutu
npm i -g @eat-pray-ai/yutu

Comments