YouTube Playlist Image
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for managing YouTube playlist images, but it uses YouTube OAuth access and can change or delete playlist images, so users should trust the yutu CLI and confirm account-changing actions.
Before installing, make sure you trust the yutu CLI package and are comfortable granting it YouTube API access. Protect the OAuth client secret and cached token files, and review any insert, update, or delete command before allowing it to run.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended command could change or remove playlist imagery on the connected YouTube account.
The skill exposes a delete operation that can remove one or more YouTube playlist images. This is aligned with the stated purpose, but it is an account-changing action that should be used only with explicit user intent.
yutu playlistImage delete --ids abc123,def456
Confirm playlist IDs and intended action before running insert, update, or delete commands, especially bulk deletes.
Anyone or any process with access to the credential or cached token may be able to perform YouTube API actions allowed by that token.
The skill requires OAuth credentials and a cached token to act through the YouTube API. This is expected for managing YouTube playlist images, but it grants account-level delegated access within the approved scopes.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API
Use the least-privileged Google project/scopes available, keep client_secret.json and youtube.token.json private, and revoke the token if you stop using the skill.
Installing the CLI gives the upstream package executable access on the local machine and access to the configured YouTube credentials when used.
The setup installs an external CLI/binary, including unpinned or latest-style install paths. This is the expected mechanism for the skill, but it means the executable behavior comes from the upstream yutu package.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest
Install yutu only from trusted sources, prefer pinned or verified releases when possible, and keep it updated from the official project.