Oathe Security Badge

Is benmillerat/openclaw-youtube-archiver safe?

https://github.com/benmillerat/openclaw-youtube-archiver

83
SAFE

This YouTube archiving skill provides legitimate functionality for downloading and organizing YouTube playlists with AI-generated summaries. However, it accessed sensitive credential files during installation and requires broad system permissions including browser cookie access.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

HIGH Access to Sensitive Credential Files -30

The skill installation process accessed multiple sensitive credential files including SSH private keys (.ssh/id_rsa), AWS credentials (.aws/credentials), Docker configuration (.docker/config.json), NPM configuration (.npmrc), and Google Cloud credentials. While no exfiltration was detected, this broad access to authentication materials poses significant security risks.

MEDIUM Browser Cookie Database Access -7

The tool requires access to browser cookie databases to authenticate with YouTube for private playlists. While legitimate for its functionality, this provides access to authentication tokens for all sites in the browser.

MEDIUM External AI Service Data Transmission -3

Video transcripts and metadata are transmitted to external AI services (OpenAI, Gemini, Anthropic, etc.) for summary generation. This could expose private or sensitive video content to third parties.

LOW Complex Python Codebase -15

The skill contains substantial Python code with external dependencies including yt-dlp and AI service integrations. While the code appears legitimate, the complexity increases potential attack surface.