YouTube Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent YouTube search wrapper, but it uses an external yutu CLI with Google/YouTube OAuth credentials, so users should install and authorize it carefully.
Before installing, make sure you trust the `yutu` CLI package and are comfortable granting it YouTube OAuth access. Use the least-privileged Google account possible, review the OAuth scopes shown during consent, and protect or delete `youtube.token.json` when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may access YouTube account data available to the authorized OAuth token, including private search-related results if the token and command flags allow it.
The skill relies on a Google/YouTube OAuth flow and a cached account token. This is expected for an authenticated YouTube API tool, but it means the CLI can act with the permissions granted to that token.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Authorize only the intended Google account, review the OAuth consent screen and scopes, and remove or rotate the cached token when you no longer need the skill.
Installing the skill requires installing and running the external `yutu` command-line tool on the local system.
The skill depends on an externally installed CLI package. This is central to the skill's function and is disclosed, but users are trusting that package and its updates.
node | package: @eat-pray-ai/yutu | creates binaries: yutu
Install `yutu` from a trusted package source, consider pinning a known version, and avoid providing OAuth tokens to untrusted installations.