YouTube Video Category
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent YouTube CLI wrapper for listing video categories, but users should notice that it requires installing an external CLI and using YouTube OAuth token files.
Before installing, make sure you trust the `yutu` CLI source and are comfortable granting it YouTube API access. Keep the OAuth credential and token files private, and revoke the token if you stop using the tool.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI may use local YouTube OAuth credentials, so anyone installing it should understand and trust how those credentials are handled.
The skill explicitly requires OAuth material and a cached token, which are sensitive account-access artifacts even though their use is disclosed and aligned with YouTube API access.
yutu requires Google Cloud Platform OAuth credentials and a cached token to access the YouTube API.
Use a dedicated OAuth client where possible, keep `client_secret.json` and `youtube.token.json` private, and revoke or delete the token when no longer needed.
Installing the CLI gives that external tool local execution ability and access to the configured YouTube credentials.
The skill relies on an externally installed CLI package or binary. This is central to the stated purpose, but it is still supply-chain-relevant because the executable is outside the provided artifact contents.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install `yutu` only from the official source, prefer pinned or verified releases when available, and avoid sharing credentials with untrusted installations.