ClawHub

YouTube Playlist Item

v0.10.7-dev

Manage YouTube playlist items. Use this skill to list items in a playlist, add new items, update items, or remove items. Useful when working with YouTube pla...

0· 183·0 current·0 all-time
by@openwaygate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (yutu), required config files (client_secret.json, youtube.token.json) and env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN) all match a YouTube OAuth-based CLI that manages playlist items.
Instruction Scope
SKILL.md instructs only to run the yutu CLI and to perform OAuth setup (yutu auth) which saves tokens locally. It does not ask for unrelated files, hidden endpoints, or unexplained data exfiltration.
Install Mechanism
Declared install is a Node package (@eat-pray-ai/yutu) that produces a yutu binary; setup docs also mention brew/winget/go/GitHub releases. This is coherent for a CLI but installing npm/global packages executes third‑party code (postinstall scripts etc.), so verify package origin and integrity before installing.
Credentials
Requested env vars and config paths are the OAuth client secret and cached token needed to call the YouTube API. These are sensitive but expected and limited to the YouTube integration.
Persistence & Privilege
Skill is not forced-always (always:false) and uses normal autonomous invocation. It does not request system-wide configuration changes or access to other skills' credentials.
Assessment
This skill appears to do what it says: it wraps the yutu CLI and requires Google OAuth credentials and a saved token. Before installing/using it: 1) Inspect the upstream project (https://github.com/eat-pray-ai/yutu) and npm package to verify the publisher and recent activity; 2) be aware that npm/global installs run third‑party code—consider installing in an isolated environment or using a packaged release you trust; 3) provide a least-privilege OAuth client (restrict scopes) and use a dedicated account/token you can revoke if needed; 4) confirm the expected redirect (http://localhost:8216) during auth and that tokens are stored only in the declared youtube.token.json; 5) revoke OAuth credentials if you later suspect compromise.

Like a lobster shell, security has layers — review code before you run it.

0.10.6-3vk97c3ztyxcbm4ab90xd83wb27n82sjnz0.10.7-devvk97aj91aze6ge2hrh6dp6zv46s82xkjglatestvk97aj91aze6ge2hrh6dp6zv46s82xkjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL

Install

Node
Bins: yutu
npm i -g @eat-pray-ai/yutu

Comments