YouTube Video Category

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed YouTube CLI wrapper for listing video categories, with expected but sensitive OAuth setup requirements.

Install only if you trust the yutu CLI and are comfortable granting it YouTube API access. Keep `client_secret.json` and `youtube.token.json` private, do not commit or share them, prefer restrictive file permissions or a secret manager where practical, and revoke the token if you stop using the tool.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup guide instructs users to create OAuth client secret and cached token files and store them locally, but it does not warn that these artifacts are sensitive secrets that grant API access and must be protected from disclosure, commits, or insecure sharing. In a developer setup document, omission of secret-handling guidance can plausibly lead to accidental exposure of credentials or tokens through source control, logs, backups, or shared directories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal