YouTube Memberships Level
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a straightforward YouTube CLI wrapper for listing membership levels, but it requires YouTube OAuth credentials and a cached token that users should protect.
This appears safe for its stated purpose if you trust the yutu CLI and intend to grant it YouTube API access. Before installing, verify the OAuth permissions shown by Google, keep client_secret.json and youtube.token.json private, and avoid using credentials for accounts or channels you do not want the tool to access.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and configuring this skill means the yutu CLI can use your YouTube API credentials and saved token.
The skill needs OAuth credentials and a cached token for YouTube API access. This is expected for the stated YouTube membership-level listing purpose, but it gives the CLI delegated access to the user's YouTube account.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API.
Only use OAuth credentials you created intentionally, review the Google consent screen permissions, and protect or revoke youtube.token.json if you no longer use the tool.
The behavior of the skill depends on the installed yutu CLI package.
The skill depends on an external CLI package. This is central to the skill's purpose and clearly disclosed, but users are relying on that package's integrity.
install:\n - kind: node\n package: "@eat-pray-ai/yutu"\n bins: [yutu]
Install yutu from the documented project or package manager source, and prefer a version you trust.
Anyone or any process that can read the cached token may be able to reuse the granted YouTube API access.
The setup guide discloses that authentication creates a persistent cached token file. That is normal for OAuth-based API tools, but the file should be treated as sensitive account access material.
After granting permission, a token is saved to `youtube.token.json`.
Store youtube.token.json securely, avoid committing it to repositories, and revoke or delete it when access is no longer needed.