YouTube Playlist Image

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube playlist-image CLI guide with disclosed account access and content-changing commands.

Install only if you trust the yutu CLI and are comfortable granting it access to your YouTube account. Keep client_secret.json and youtube.token.json private, verify the active account and playlist image IDs before update or delete commands, and avoid uploading sensitive local images as playlist artwork.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This documentation presents a destructive delete command with concrete examples but provides no warning, confirmation guidance, or recovery caveat. In an agent skill context, users or downstream agents may execute the command directly, increasing the chance of accidental deletion of playlist images, especially when multiple IDs can be supplied in one invocation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal