Back to skill
Skillv0.10.7-dev
ClawScan security
YouTube Memberships Level · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 2:04 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and install method are consistent with a CLI-based YouTube memberships listing tool that uses OAuth credentials; nothing requested appears unrelated to that purpose.
- Guidance
- This skill delegates work to the external 'yutu' CLI and requires your YouTube OAuth client_secret and cached token files. Only install if you trust the @eat-pray-ai/yutu package and its GitHub repo (review authors, recent releases, and npm/sha integrity). Installing the npm package will place a binary on your PATH and runs code from that package — if you prefer, you can manually install yutu from the project releases and run the auth flow locally (yutu auth) to create youtube.token.json rather than providing secrets directly to an unfamiliar environment. Do not share client_secret.json or youtube.token.json publicly and consider using least-privilege test credentials if you want to evaluate the skill first.
Review Dimensions
- Purpose & Capability
- okName/description target listing YouTube membership levels and the skill requires the yutu CLI, OAuth client secret and cached token — all directly relevant to calling the YouTube API via a local CLI.
- Instruction Scope
- okSKILL.md only instructs use of the yutu CLI and the documented OAuth setup. It does not ask the agent to read unrelated files, contact unexpected endpoints, or exfiltrate data beyond using the provided OAuth flow and token files.
- Install Mechanism
- okInstall is via a named Node package (@eat-pray-ai/yutu) producing a yutu binary, which is a standard and expected delivery mechanism for a CLI. No untoward download URLs or archive extraction are used in the provided spec.
- Credentials
- okRequired env vars and config paths (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN, client_secret.json, youtube.token.json) are appropriate for an OAuth-based YouTube CLI. There are no additional unrelated credentials requested.
- Persistence & Privilege
- okSkill is not always-enabled and defaults allow user invocation; it does not request unusual persistent privileges or to modify other skills/system settings.