Security audit

YouTube I18n Region

Security checks across malware telemetry and agentic risk

Overview

This skill only lists YouTube regions, but setup asks you to create and store Google/YouTube OAuth files without explaining exact permissions or how to protect or remove them.

Before installing, verify the yutu CLI source and the Google OAuth consent screen scopes. Use a dedicated Google project or test account if possible, keep client_secret.json and youtube.token.json outside repositories, restrict file access, and revoke/delete the cached token when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup guide instructs users to store OAuth client secrets and access tokens in local files (`client_secret.json` and `youtube.token.json`) but does not warn that these are sensitive credentials that must be protected from disclosure, accidental commits, or permissive file permissions. In a CLI skill context, users commonly work from project directories and shells where secrets can be exposed via source control, shared workspaces, backups, or logs, making this a real credential-handling weakness even though it is documentation rather than executable code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal