YouTube Publisher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is misused by the agent environment or another local process, it could affect the user's YouTube channel beyond a single upload.
The skill persists OAuth credentials and requests broad YouTube account scopes, not only a narrow upload permission. This grants durable authority over the user's YouTube account if authorized.
TOKEN_FILE = os.path.join(SKILL_DIR, "token.json")
SCOPES = [
"https://www.googleapis.com/auth/youtube.upload",
"https://www.googleapis.com/auth/youtube",
"https://www.googleapis.com/auth/youtube.force-ssl",
]Use a dedicated Google project/account where possible, review the OAuth consent scopes before approving, and consider reducing the script scopes to the minimum needed for upload, thumbnail, and playlist operations.
A mistaken prompt or file selection could publish the wrong video or metadata to a public channel.
The skill can have the agent publish videos to YouTube, including public uploads. This is the stated purpose, but public publishing is a high-impact action.
Agent 会自动调用上传脚本完成发布。 ... --privacy public
Keep the default private setting for first uploads, explicitly specify privacy, title, and file path, and manually review the video in YouTube Studio before making it public.
Future dependency changes or a compromised package source could affect the local uploader environment.
The setup instructions install unpinned Python dependencies. This is a normal setup step for this integration, but versions and provenance are not locked in the artifact.
pip3 install google-api-python-client google-auth-oauthlib google-auth-httplib2
Install dependencies in a virtual environment, use trusted package indexes, and pin known-good versions if using this skill in a production workflow.