YouTube Video Abuse Report Reason

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward YouTube CLI helper that discloses its OAuth setup, with no hidden or destructive behavior in the skill artifacts.

Install only if you trust the yutu CLI source. Treat client_secret.json and youtube.token.json as secrets: do not commit, share, paste, or log them; store them with restricted permissions and revoke or rotate the OAuth grant if either file may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The setup guide instructs users to create `client_secret.json` and `youtube.token.json` but does not warn that these files contain sensitive OAuth credentials and refresh/access tokens that can grant API access if exposed. In a setup document for a CLI tool, omission of basic secret-handling guidance increases the likelihood that users will commit, share, or store these files insecurely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal