YouTube Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube CLI wrapper, but users should treat its OAuth files as sensitive secrets.

Before installing, make sure you trust the yutu package publisher and repository. Store client_secret.json and youtube.token.json somewhere private, do not commit or share them, and revoke or rotate the Google OAuth credentials if either file is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly requires OAuth credentials and cached tokens but does not warn users that these files and environment variables are sensitive secrets. In agent or shared-shell contexts, this omission can lead to unsafe handling, accidental disclosure in logs, prompts, screenshots, or repositories, increasing the likelihood of credential compromise.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The setup guide instructs users to download OAuth client credentials and store both the client secret and the resulting access token in predictable local files, but it provides no warning about treating these as sensitive secrets. That omission can lead users to commit the files to source control, share them in unsafe locations, or leave them with weak permissions, enabling unauthorized access to the associated YouTube account or API project.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal