YouTube I18n Language
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a straightforward wrapper for listing YouTube i18n languages, but it depends on an external CLI and sensitive YouTube OAuth credentials.
This skill looks appropriate if you want to use the `yutu` CLI to list YouTube i18n languages. Before installing, make sure you trust the `@eat-pray-ai/yutu` package, understand what YouTube OAuth permissions you grant, and keep `client_secret.json` and `youtube.token.json` protected.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and authenticated, the `yutu` CLI can use the YouTube API permissions granted during OAuth consent.
The skill requires Google/YouTube OAuth credential material and a cached token, which is expected for a YouTube API CLI but gives the installed tool delegated account access.
`YUTU_CREDENTIAL` | Path, base64, or JSON of OAuth client secret ... `YUTU_CACHE_TOKEN` | Path, base64, or JSON of cached OAuth token
Review the OAuth consent screen and scopes, use a dedicated GCP project or limited account where possible, store token files securely, and revoke the token when no longer needed.
Installing the skill means installing and running the external `yutu` binary on the local machine.
The skill depends on an external CLI package rather than included code. This is purpose-aligned for a CLI wrapper, but users must trust the package source.
install:\n - kind: node\n package: "@eat-pray-ai/yutu"\n bins: [yutu]
Install from a trusted package manager or verified release, consider pinning a known version, and review the upstream project if the account has sensitive YouTube access.