YouTube Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is transparent about managing YouTube videos, but it gives OAuth-backed access to perform important account actions like uploading, updating, deleting, rating, and reporting videos.
Install this only if you trust the yutu CLI and want an agent to help manage your YouTube videos. Keep the OAuth credential and cached token private, and review any command that uploads, makes content public, changes privacy or metadata, deletes videos, rates videos, or reports abuse.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong IDs or options, the agent could delete videos, upload public content, change metadata/privacy, rate videos, or submit abuse reports.
The skill openly exposes commands that can mutate a YouTube account or public content. This is purpose-aligned, but these actions can have real account or public-facing impact.
Manage YouTube videos. Use this skill to list, upload, update, delete, get rating, or report videos.
Use the skill only for intended YouTube account management, and require clear user confirmation for delete, upload, public publish, update, rate, and report-abuse actions.
Anyone or any process that can use the cached token may be able to perform authorized YouTube actions within the granted OAuth scope.
The skill requires OAuth authorization and stores a reusable token for YouTube API access. This is expected for the stated purpose, but it is privileged account access.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Protect client_secret.json and youtube.token.json, use the minimum OAuth scopes needed, and revoke the token from the Google account if the skill is no longer trusted.
The security of the skill depends on the installed yutu package or binary handling OAuth tokens and YouTube actions safely.
The skill relies on an external CLI installed from package managers or latest release artifacts, and the runnable CLI code is not included in the provided skill artifacts.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install yutu only from the official project, prefer pinned versions or verified release checksums where available, and keep the CLI updated from trusted sources.