Skills
skills/eat-pray-ai/yutu/youtube-comment/Gen Agent Trust Hub

youtube-comment

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the yutu CLI tool using arguments provided by the user, which presents a surface for command injection if inputs are not sanitized.
  • Ingestion points: The --textOriginal and --ids flags in references/comment-insert.md and references/comment-delete.md.
  • Boundary markers: None identified. The instructions do not specify any delimiters or escaping protocols for command-line arguments.
  • Capability inventory: The yutu tool interacts with the YouTube API and requires access to local credential files (client_secret.json, youtube.token.json).
  • Sanitization: No sanitization or input validation logic is described for user data before it is interpolated into shell commands.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the yutu utility from remote sources.
  • Evidence: SKILL.md and references/setup.md provide instructions for installation via npm, Homebrew, and Go.
  • Note: These resources are hosted on the official GitHub and package registry accounts of the skill author (@eat-pray-ai).
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 08:21 PM