ClawHub

YouTube Thumbnail

v0.10.7-dev

Manage YouTube video thumbnails. Use this skill to set custom thumbnails for videos. Useful when working with YouTube thumbnail — provides commands to set th...

1· 217·0 current·0 all-time
by@openwaygate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (set YouTube thumbnails) match the declared binary (yutu), required OAuth files (client_secret.json, youtube.token.json), and env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN). These are expected for a YouTube CLI that uses OAuth.
Instruction Scope
SKILL.md and reference files only instruct installing/using the yutu CLI and performing OAuth auth flow (local redirect, token saved to youtube.token.json). They do not ask to read unrelated files, exfiltrate data, or call unexpected external endpoints.
Install Mechanism
Install uses an npm package (@eat-pray-ai/yutu) which is reasonable for providing the yutu binary; npm packages are a moderate-risk supply chain vector compared with instruction-only skills. The included README also documents other distribution channels (brew/winget/go/releases) — not inherently problematic but verify the package and release source before installing.
Credentials
Requested env vars and config paths (OAuth client secret and cached token) are expected and proportionate for authorizing against the YouTube Data API. The primary credential (YUTU_CREDENTIAL) matches the service purpose.
Persistence & Privilege
Skill is not forced-always, does not request elevated agent-wide privileges, and is instruction-only (no code written by the skill). Autonomous invocation is enabled by default but not combined with other concerning flags.
Assessment
This skill appears coherent: it wraps the yutu CLI and requires standard YouTube OAuth artifacts. Before installing, verify the origin and integrity of the @eat-pray-ai/yutu package (inspect the GitHub repo, npm package, and release artifacts), and ensure the OAuth client and token you provide have the minimal scopes needed. Avoid placing long-lived credentials in shared environments; prefer per-project credential files (client_secret.json / youtube.token.json) and review the token file contents before sharing. If you need higher assurance, install the tool from the repo's official releases and review its source code for unexpected network calls or telemetry.

Like a lobster shell, security has layers — review code before you run it.

0.10.6-3vk97f87yvaaszqj8y06g9rkpdfd82t3am0.10.7-devvk97b3t0zkswe4ce1323msy63vs82x37glatestvk97b3t0zkswe4ce1323msy63vs82x37g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL

Install

Node
Bins: yutu
npm i -g @eat-pray-ai/yutu

Comments