YouTube Comment Thread
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is mostly coherent, but it can post public YouTube comments using your OAuth token and does not include clear confirmation or scoping guidance before doing so.
Use this skill only if you are comfortable giving yutu OAuth access to your YouTube account. Treat comment insertion as a public posting action: review the exact video, channel, and text and require confirmation before allowing the agent to run the insert command.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could post a public YouTube comment from the authorized account, affecting reputation or creating unwanted public content.
The documented operation posts a new YouTube comment, which is a public account action, but the instructions do not require explicit confirmation of the target video/channel and comment text before insertion.
yutu commentThread insert --channelId UC_x5X --videoId dQw4w9WgXcQ --authorChannelId UA_x5X --textOriginal 'Great video!'
Before using insert, require a final user confirmation that includes the exact video ID, channel ID, author/channel identity, and full comment text.
Anyone or any process with access to the token file or environment values may be able to act through the authorized YouTube account within the granted scopes.
The skill requires OAuth client credentials and a cached YouTube token to access the YouTube API. This is expected for the stated purpose, but it grants account-level API access.
requires:\n env:\n - YUTU_CREDENTIAL\n - YUTU_CACHE_TOKEN\n config:\n - client_secret.json\n - youtube.token.json
Use a dedicated Google Cloud OAuth client, keep token files private, grant only needed scopes, and revoke the token when the skill is no longer needed.
The installed external CLI will handle OAuth tokens and YouTube API actions, so its provenance and behavior matter.
The skill relies on an external CLI package to perform its work. That is coherent with the skill's purpose, but the runnable package code is not included in the provided artifacts.
install:\n - kind: node\n package: "@eat-pray-ai/yutu"\n bins: [yutu]
Install yutu only from trusted package sources, verify the package repository if possible, and keep it updated.