YouTube Playlist Item
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is purpose-aligned for managing YouTube playlist items, but it uses OAuth credentials and can change or delete playlist content through an external CLI.
This appears safe for its stated purpose if you intend to let the agent manage YouTube playlist items. Before installing, be comfortable with granting YouTube OAuth access, protect the generated token file, install the yutu CLI from a trusted source, and require confirmation before any update or delete operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong IDs or playlist, the agent could add, update, or delete YouTube playlist items.
The skill intentionally exposes mutating YouTube playlist operations, including removal. This is coherent with the stated purpose but can change account content.
Manage YouTube playlist items. Use this skill to list items in a playlist, add new items, update items, or remove items.
Confirm the target playlist/item IDs and requested action before running insert, update, or delete commands.
Anyone or anything with access to the configured token may be able to perform YouTube API actions allowed by that OAuth grant.
The skill needs OAuth credentials and a cached token to act on the user's YouTube account. This is expected for the integration, but it is sensitive account authority.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API... a token is saved to `youtube.token.json`.
Use the least-privileged OAuth setup available, store `client_secret.json` and `youtube.token.json` securely, and revoke or rotate tokens if no longer needed.
The actual runtime behavior depends on the installed yutu binary/package and its supply chain.
The skill relies on installing an external CLI from package managers or releases. That is central to the skill, but the CLI implementation itself was not part of the reviewed artifacts.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install yutu from a trusted source, prefer pinned versions where possible, and verify the package or release before using it with YouTube credentials.