YouTube Watermark
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent YouTube watermark helper, but it requires YouTube OAuth access and an external yutu CLI that can change a channel’s watermark.
Install only if you intend to let yutu access your YouTube account to set or unset channel watermarks. Keep the OAuth credential and cached token private, verify the channel ID and image before making changes, and use a trusted yutu installation source.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong channel ID or file, the user could change the watermark on the wrong YouTube channel.
The documented CLI command can modify a YouTube channel’s watermark. This is exactly the stated purpose, but it is a real account-changing action.
yutu watermark set --channelId UC_x5XG1OV2P6uZZ5FSM9Ttw --file watermark.png
Confirm the channel ID, watermark image, and intended action before running set or unset commands.
Anyone with access to the cached token may be able to perform authorized YouTube API actions for the connected account.
The skill requires OAuth authorization and stores a reusable token for YouTube API access. This is expected for managing YouTube watermarks, but the token is sensitive.
A browser window will open for you to grant YouTube access. After granting permission, a token is saved to `youtube.token.json`.
Use the least-privileged Google account/project available, protect `client_secret.json` and `youtube.token.json`, and revoke the token if it is no longer needed.
The actual behavior depends on the installed yutu binary/package and its supply chain.
The skill relies on installing an external CLI from package managers or releases. That is central to the skill, but the installed CLI code is not included in the reviewed artifacts.
npm i -g @eat-pray-ai/yutu ... go install github.com/eat-pray-ai/yutu@latest ... Download a prebuilt binary from the releases page
Install yutu from the official project source, prefer pinned or verified versions where possible, and avoid untrusted mirrors.