YouTube I18n Region
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill only lists YouTube region data, but it requires YouTube OAuth credentials and a cached token, so users should review the requested access carefully.
Review the OAuth consent screen before approving access. This skill appears to be a narrow yutu wrapper for listing YouTube i18n regions, but it still requires a cached YouTube token. Use a dedicated account or project if possible, keep `client_secret.json` and `youtube.token.json` private, and verify the yutu CLI source before installing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may give the underlying CLI access to a YouTube account token, not just public region-listing data.
The skill's stated operation is listing i18n regions, but it requires OAuth client credentials and a cached YouTube token. The artifacts do not document the OAuth scopes or constrain the token to only this read-only operation.
requires:\n env:\n - YUTU_CREDENTIAL\n - YUTU_CACHE_TOKEN\n config:\n - client_secret.json\n - youtube.token.json
Before using it, verify the OAuth scopes requested by yutu, use a dedicated Google project or test account if possible, and remove or rotate `youtube.token.json` when no longer needed.
A cached token could continue to be usable by the yutu CLI after setup, depending on the granted scopes and local file access.
The setup flow creates persistent delegated YouTube access, but the artifact describes it broadly as 'YouTube access' and does not state the exact permissions being granted.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Confirm the consent screen permissions before approving, keep the token file private, and revoke the OAuth grant from your Google account if you stop using the tool.
Installing the CLI gives that external package or binary the ability to run locally and use the configured YouTube credentials.
The skill relies on an externally installed CLI, including global package installation, latest-version Go install, and prebuilt binaries. This is expected for the yutu-based workflow, but the executable code is not included in the skill artifact.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install yutu only from a trusted source, prefer pinned or verified releases where possible, and review the upstream project before providing credentials.