YouTube Publisher
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: youtube-publisher Version: 1.0.0 The OpenClaw AgentSkills skill bundle 'youtube-publisher' is designed for uploading videos to YouTube via the YouTube Data API v3. The `SKILL.md` provides clear, non-malicious instructions for setup and usage, including moving user-downloaded OAuth credentials to the skill's designated directory. The `scripts/youtube_upload.py` code implements the stated functionality using standard Python and Google API client libraries, handling OAuth 2.0 authentication, resumable video uploads, and metadata management. All file system and network interactions are confined to the skill's operational requirements (reading/writing its own token/credentials, accessing user-specified media files, and communicating with legitimate Google APIs). There is no evidence of data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts to subvert the agent's intended behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is misused by the agent environment or another local process, it could affect the user's YouTube channel beyond a single upload.
The skill persists OAuth credentials and requests broad YouTube account scopes, not only a narrow upload permission. This grants durable authority over the user's YouTube account if authorized.
TOKEN_FILE = os.path.join(SKILL_DIR, "token.json")
SCOPES = [
"https://www.googleapis.com/auth/youtube.upload",
"https://www.googleapis.com/auth/youtube",
"https://www.googleapis.com/auth/youtube.force-ssl",
]Use a dedicated Google project/account where possible, review the OAuth consent scopes before approving, and consider reducing the script scopes to the minimum needed for upload, thumbnail, and playlist operations.
A mistaken prompt or file selection could publish the wrong video or metadata to a public channel.
The skill can have the agent publish videos to YouTube, including public uploads. This is the stated purpose, but public publishing is a high-impact action.
Agent 会自动调用上传脚本完成发布。 ... --privacy public
Keep the default private setting for first uploads, explicitly specify privacy, title, and file path, and manually review the video in YouTube Studio before making it public.
Future dependency changes or a compromised package source could affect the local uploader environment.
The setup instructions install unpinned Python dependencies. This is a normal setup step for this integration, but versions and provenance are not locked in the artifact.
pip3 install google-api-python-client google-auth-oauthlib google-auth-httplib2
Install dependencies in a virtual environment, use trusted package indexes, and pin known-good versions if using this skill in a production workflow.