YouTube Thumbnail
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for setting YouTube thumbnails, but it relies on an external CLI and YouTube OAuth token that can change account content.
Before installing, confirm you trust the yutu CLI source, protect the OAuth client secret and cached token, and only run thumbnail changes after checking the video ID and image file.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could update the wrong video's thumbnail or publish an unintended image as the thumbnail.
This command directly changes the thumbnail for a YouTube video. That is the skill's stated purpose, but users should verify the video ID and image before running it.
yutu thumbnail set --file image.jpg --videoId dQw4w9WgXcQ
Confirm the target video ID and thumbnail file before using the set command, and consider requiring explicit user confirmation for thumbnail changes.
Anyone or any process with access to the cached token may be able to act through the granted YouTube permissions.
The skill requires OAuth authorization and stores a cached token so yutu can call the YouTube API. This is expected for setting thumbnails but gives the CLI delegated YouTube account access.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Use the minimum needed YouTube API permissions, store client_secret.json and youtube.token.json securely, and revoke or delete the token when it is no longer needed.
Installing the external CLI gives that package code execution on the local machine.
The skill is instruction-only and depends on an external yutu CLI package or binary installed from package managers or releases. This is central to the skill, but the executable code is outside the provided artifacts.
npm i -g @eat-pray-ai/yutu
Install yutu only from trusted sources, prefer pinned or verified releases where possible, and review the upstream project before granting YouTube access.