Back to skill
Skillv0.10.7-dev
ClawScan security
YouTube Video Abuse Report Reason · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 2:16 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and install steps are consistent with a CLI wrapper for YouTube's API and request only the Google OAuth credentials and token needed to list video abuse report reasons.
- Guidance
- This skill appears internally consistent: it installs a yutu CLI and needs Google OAuth credentials + a cached token to call the YouTube API. Before installing, verify the @eat-pray-ai/yutu package and its GitHub repo (publisher identity, recent commits, releases) to ensure you trust the maintainer. Use a dedicated GCP OAuth client with minimal scopes and do not reuse high-privilege credentials. Keep client_secret.json and youtube.token.json in a secure location; if you revoke access later, rotate or delete the token. Remember npm packages can run code during install—review the package source or prefer installing from an audited release if that is a concern.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (yutu), env vars (YUTU_CREDENTIAL, YUTU_CACHE_TOKEN), and config paths (client_secret.json, youtube.token.json) all align with a YouTube API CLI that requires OAuth credentials and a cached token.
- Instruction Scope
- okSKILL.md instructs only to install yutu, configure OAuth, and run yutu videoAbuseReportReason list. It does not ask the agent to read unrelated system files, contact unexpected endpoints, or exfiltrate data beyond the YouTube API credentials/token needed for operation.
- Install Mechanism
- noteInstall uses an npm package (@eat-pray-ai/yutu) that provides the yutu binary. npm installs are a common distribution method but carry moderate risk compared to vetted OS package managers or source-reviewed binaries; this is expected for a JS CLI but users should verify the package/publisher.
- Credentials
- okRequired env vars and config paths map directly to OAuth client secret and cached token for Google/YouTube. The number and type of credentials requested are proportionate to the stated functionality.
- Persistence & Privilege
- okThe skill does not request always: true, does not modify other skills, and only installs a CLI binary for explicit user invocation. Autonomous model invocation is allowed by default but not combined with other concerning privileges here.