ClawHub

YouTube Playlist Image

v0.10.7-dev

Manage YouTube playlist images. Use this skill to list, insert, update, or delete playlist images. Useful when working with YouTube playlist image — provides...

0· 181·0 current·0 all-time
by@openwaygate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (YouTube playlist image management) align with required binary (yutu), required config files (client_secret.json, youtube.token.json), and required env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN). These are expected for a YouTube OAuth-based CLI.
Instruction Scope
SKILL.md instructs the agent to run yutu CLI commands (list/insert/update/delete) and to perform OAuth auth flow via the yutu auth command. It does not direct the agent to read unrelated system files or contact unexpected endpoints beyond the YouTube OAuth flow and API.
Install Mechanism
Install lists npm package @eat-pray-ai/yutu which publishes the yutu binary (moderate trust level typical for npm packages). The setup doc also suggests brew/winget/go/releases as alternatives; the single declared install spec (node package) is coherent but warrants review of the npm package source before install.
Credentials
Requested env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN) and config paths correspond to OAuth client secret and cached token used by the YouTube API. No unrelated secrets or excessive env requirements are requested.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request elevated, system-wide persistence or modify other skills’ configs. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill is internally consistent for managing YouTube playlist images via the yutu CLI, but take these precautions before installing: 1) Review the @eat-pray-ai/yutu npm package and/or GitHub repo to verify authorship and recent releases (npm packages carry moderate supply-chain risk). 2) Use a limited-scope OAuth client (and a test Google Cloud project) rather than sensitive or organization-wide credentials; keep client_secret.json and youtube.token.json private. 3) Confirm which install method you want (npm, brew, releases) and only use trusted sources. 4) Note the skill will run the yutu binary (the agent may invoke it when asked); ensure you trust that binary before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

0.10.6-3vk97emkt003krjmrwf0canp70w582s3sz0.10.7-devvk975pym022nt7s57tpq8gf1p1n82wbg7latestvk975pym022nt7s57tpq8gf1p1n82wbg7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL

Install

Node
Bins: yutu
npm i -g @eat-pray-ai/yutu

Comments