YouTube Comment
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This YouTube comment skill is transparent about its purpose, but it gives an agent OAuth-backed ability to post, delete, mark spam, moderate, and ban YouTube comment authors without documented confirmation safeguards.
Install only if you intend to let the agent manage YouTube comments for the connected account. Treat delete, spam, moderation, and ban operations as sensitive: confirm every target comment ID and action before execution, and protect or revoke the OAuth token when not in use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or too broadly, the agent could remove or suppress comments, ban users, or change public moderation outcomes on the connected YouTube account.
The skill documents a direct command that can reject a YouTube comment and ban its author; similar references also allow deleting and marking multiple comments as spam, but the artifacts do not document confirmation or rollback safeguards.
yutu comment setModerationStatus --ids abc123 --moderationStatus rejected --banAuthor
Only use this skill with explicit user confirmation for create, update, delete, spam, moderation, and ban actions; verify comment IDs and intended moderation status before running commands.
Anyone or any agent process with access to the configured credential and token can potentially perform the documented YouTube comment operations.
The skill clearly requires OAuth credentials and a cached YouTube token, which is expected for this purpose but gives the CLI delegated authority over the connected YouTube account.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API
Use the least-privileged YouTube OAuth configuration available, keep client_secret.json and youtube.token.json private, and revoke the token if the skill is no longer needed.
The external yutu binary will handle OAuth tokens and YouTube API actions, so a compromised or unexpected version could affect the connected account.
The skill depends on an external CLI and documents several installation methods, including latest-version and prebuilt-binary paths; this is disclosed and purpose-aligned, but the runnable code is outside the supplied artifacts.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install yutu only from trusted sources, consider pinning a known version, and review the upstream project before granting YouTube access.