YouTube Playlist
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent YouTube playlist manager with disclosed OAuth and playlist modification capabilities, but users should be careful because it can change or delete YouTube playlists.
This skill appears purpose-aligned and disclosed. Install it only if you trust the yutu CLI, protect the OAuth credential and token files, and require clear confirmation before creating, updating, making public, or deleting playlists.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad delete/update command could remove or change playlists on the authenticated YouTube account.
The skill documents commands that can delete one or more YouTube playlists by ID. This is aligned with the skill purpose, but it is a high-impact action if the wrong IDs are used.
yutu playlist delete --ids PLxxx1,PLxxx2
Before running delete or public-facing update commands, verify the playlist IDs, review the intended change, and require explicit user confirmation for destructive actions.
Anyone or any process with access to the configured token may be able to perform YouTube actions allowed by that OAuth grant.
The skill needs OAuth credentials and a cached token for the authenticated YouTube account. This is expected for managing playlists, but it is sensitive delegated access.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API.
Use the least-privileged Google account and OAuth consent you can, keep client_secret.json and youtube.token.json private, and revoke the token if you stop using the skill.
The actual behavior depends on the installed yutu package or binary, so installing from an untrusted or unexpected source could affect the user's YouTube account.
The skill is instruction-only and relies on installing an external CLI package. This is disclosed and central to the purpose, but the executable itself is outside the provided artifact text.
node | package: @eat-pray-ai/yutu | creates binaries: yutu
Install yutu from the expected upstream source, pin or verify versions where possible, and avoid untrusted package mirrors or unofficial binaries.