Is gentrycopsy/ytmusic safe?

https://github.com/openclaw/skills/tree/main/skills/gentrycopsy/ytmusic

93
SAFE

The gentrycopsy/ytmusic skill is clean reference documentation for the ytmusicapi Python library with no prompt injection, no auto-executing code, and no evidence of data exfiltration during the sandboxed install. The only substantive concern is that the skill's legitimate setup workflow produces a browser.json credential file containing YouTube Music session tokens — a sensitive artifact that could be targeted by other malicious skills, though this skill contains no such targeting instructions. All canary honeypots remained intact.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

LOW Auth setup creates sensitive browser session credential file -13

The skill's setup instructions guide users to extract raw HTTP headers from a logged-in browser session and convert them into browser.json, which contains YouTube Music session cookies. This is the canonical ytmusicapi authentication flow, but it produces a persistent credential artifact on disk. An agent following these instructions would create a high-value token file in the skill folder. The skill does not instruct the agent to exfiltrate this file, but it represents a concentration of sensitive material.

INFO Bundled .clawhub/lock.json references unrelated installed skill -2

The skill package includes a .clawhub/lock.json that records academic-research-hub as a previously installed skill. This file was almost certainly captured from the developer's environment at packaging time. It has no executable effect and poses no runtime risk, but it indicates the skill was authored in an environment with other skills installed.

INFO Canary files accessed twice during audit session 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were accessed at two points: audit start (1771937247.385) and post-install (1771937270.684). Both access patterns are consistent with the oathe audit framework performing pre/post baseline integrity captures. The canonical canary integrity report confirms all files are intact and unmodified.