YouTube Video
v0.10.7-devManage YouTube videos. Use this skill to list, upload, update, delete, get rating, or report videos. Useful when working with YouTube video — provides comman...
⭐ 1· 304·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the declared requirements: the skill uses the yutu CLI and needs OAuth client credentials (client_secret.json / YUTU_CREDENTIAL) and a cached token (youtube.token.json / YUTU_CACHE_TOKEN). These are exactly what a YouTube management tool would need.
Instruction Scope
SKILL.md and reference docs instruct the agent to run yutu commands (list, insert, update, delete, rate, reportAbuse). The docs reference only YouTube-related files/flags (video files, thumbnail paths, OAuth files). There are no instructions to read or exfiltrate unrelated system files or to post data to endpoints other than YouTube/yutu.
Install Mechanism
Install uses an npm package (@eat-pray-ai/yutu) which is an expected distribution method but carries the usual npm risks (packages may run install scripts). The SKILL.md also documents additional install methods (brew, winget, go, prebuilt binaries) whereas the skill metadata only lists the node package — a minor inconsistency. Recommend reviewing the npm package source and its postinstall scripts or installing yutu via a system package/release binary you trust.
Credentials
The only required env vars and config files are YUTU_CREDENTIAL and YUTU_CACHE_TOKEN (plus client_secret.json and youtube.token.json). These are directly necessary for OAuth-based access to the YouTube API. No unrelated secrets or broad system credentials are requested.
Persistence & Privilege
always:false (good). The skill is user-invocable and allows normal autonomous invocation (disable-model-invocation:false) — that is the platform default. Because the skill can perform destructive actions (delete, report abuse) with the provided OAuth tokens, autonomous invocation increases impact if misused; this is a contextual risk rather than an incoherence.
Assessment
This skill appears to be what it claims: a wrapper around the yutu CLI that needs your YouTube OAuth client secret and cached token to act on your account. Before installing, do the following: (1) Verify the yutu package source (GitHub repo and npm package), review any package install scripts and the repository code if possible; (2) Prefer installing the yutu binary from an official release (GitHub releases, brew/winget/golang install) you trust rather than blindly installing npm global packages; (3) Use a limited-scope OAuth client and a test account if possible, since the skill can delete videos and report abuse; (4) Limit where you store YUTU_CREDENTIAL/YUTU_CACHE_TOKEN and revoke tokens/credentials if you stop using the skill. If you cannot verify the package source, consider this a moderate-risk installation.Like a lobster shell, security has layers — review code before you run it.
0.10.6-3vk9783rtzdt965qa6eq8g79ef0182ttg00.10.7-devvk97d62kd2acbpt23a8ps9yrke182wmeglatestvk97d62kd2acbpt23a8ps9yrke182wmeg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬🐰 Clawdis
Binsyutu
EnvYUTU_CREDENTIAL, YUTU_CACHE_TOKEN
Configclient_secret.json, youtube.token.json
Primary envYUTU_CREDENTIAL
Install
Node
Bins: yutu
npm i -g @eat-pray-ai/yutu