Security audit

YouTube Super Chat Event

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube Super Chat listing helper, but it relies on OAuth files that users must protect.

Install only if you trust the yutu CLI and are comfortable granting it access to the selected YouTube account. Keep client_secret.json, youtube.token.json, and any YUTU_* credential values private, do not commit them to source control, and revoke or rotate OAuth access if either file is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The setup guide instructs users to download an OAuth client secret and store both that secret and the resulting cached OAuth token locally, but it does not warn that these files are sensitive or recommend access controls. In a skill intended for operational use with YouTube APIs, these files can grant API access and account-linked capabilities if exposed through source control, backups, shared folders, or multi-user systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal