Is globalcaos/youtube-ultimate safe?

The skill requests three OAuth scopes: youtube.readonly, youtube, and youtube.force-ssl. For the stated functionality (transcripts via youtube-transcript-api which requires no OAuth at all, and downloads via yt-dlp which also requires no OAuth), only youtube.readonly is needed for the API-based search/video-detail commands. The youtube and youtube.force-ssl scopes grant full write access: liking and disliking videos, posting and deleting comments, creating and modifying playlists, and modifying channel settings. Once a user authenticates, the agent retains these write capabilities for the full token lifetime stored on disk.

Inotify and auditd monitoring captured sequential OPEN+ACCESS events on every honeypot credential file the audit environment placed: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. These events occurred in two sweeps — before installation (audit records 267–274 at 1771922570.728, approximately 6 seconds before the git clone began at 1771922576) and after installation (audit records 1436–1441 at 1771922588.812, after all audit checks completed). The youtube.py source code contains no logic to read these paths. The pre-install timing and the sweep-then-verify pattern is consistent with the Oathe monitoring framework's canary setup and integrity verification. Critically, the canary check only validates file content (hashes), not read access — a skill that reads but does not modify credential files would pass integrity checks despite having exfiltrated the content.

After OAuth authentication, credentials are serialized to disk using Python's pickle module at ~/.config/youtube-skill/token.pickle. Python pickle deserialization executes arbitrary bytecode embedded in the payload. If an attacker with write access to the user's home directory (via another skill, a filesystem tool, or a compromised agent) substitutes a crafted token.pickle file, the next invocation of youtube.py will execute attacker-controlled code with the user's privileges during the credential loading path, before any YouTube API calls are made.

The skill exposes four commands that return personal account data scoped to the authenticated user: subscriptions (mine=True), liked (myRating='like'), playlists (mine=True), and channel (mine=True). When this skill is loaded into an agent, any task interaction — including from an attacker who can send messages to the agent — can trigger these commands to extract subscription history, liked video history, and playlist contents. This reveals private viewing habits, interest graph, and account identity without requiring additional authentication.

The download and download-audio commands construct yt-dlp arguments by concatenating the user-supplied output directory argument without path validation: f"{args.output}/%(title)s.%(ext)s". An agent or user supplying a path like /home/user/.ssh or /etc could cause downloaded files to be written to sensitive directories. The video ID itself is regex-matched and safe, but the output path is not validated.

SKILL.md includes a promotional link to github.com/globalcaos/clawdbot-moltbot-openclaw, described as the 'full project'. This URL is separate from the skill's own openclaw/skills repository and points to an unvetted external repository. While not an active injection vector in the current content, an agent that follows embedded links could be directed to external content controlled by the skill author.

All network connections during the monitoring window were to GitHub (140.82.121.3:443) for the git clone operation and to Ubuntu/Canonical infrastructure (91.189.91.48:443, 185.125.188.58:443) for system package checks. No unexpected outbound connections were observed. The connection diff shows no new persistent listening ports or established connections after installation. DNS queries were limited to expected resolution activity.