← Back to Skills Marketplace
Youtube Music
by
om yarewara
· GitHub ↗
· v3.0.0
472
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install youtube-music-ultra
Description
Control YouTube Music with natural language. Play, pause, skip, search, manage playlists, and queue tracks. Full playback control via browser automation.
Usage Guidance
What to check before installing:
- Confirm you have and trust the OpenClaw CLI/browser tool: scripts call openclaw browser commands and will try to start a browser. If you don't have OpenClaw installed, parts will fail.
- The skill writes caches (e.g., /tmp/yt_music_v3_cache.json and /tmp/yt_music_v3.json). These files may contain mapping of queries to URLs/video IDs; review or clear them if you are concerned about local persistence. The skill does not exfiltrate data to external servers.
- The package declares YOUTUBE_MUSIC_BROWSER_PROFILE but the v3 scripts default to the 'openclaw' profile and don't read that env var; if you expect the skill to use a different browser profile, either set the profile manually in scripts or confirm how your OpenClaw environment should expose it.
- The Node scripts use child_process.execSync to call openclaw; this is expected for a browser-control skill but means commands run with the agent's privileges. Only install/run this skill in an environment you trust.
- If you want lower footprint, inspect or run the bundled scripts manually first (they are contained in the skill folder) rather than enabling autonomous invocation.
Overall: behavior is coherent with the stated purpose and no obvious data-exfiltration or unrelated credential access was found — treat it as functionally appropriate but verify OpenClaw tooling and the cache behavior before enabling.
Capability Analysis
Type: OpenClaw Skill
Name: youtube-music-ultra
Version: 3.0.0
The skill contains multiple critical shell injection vulnerabilities in its Node.js scripts (`scripts/control.js`, `scripts/direct-play.js`, `scripts/ultra-play.js`). These scripts use `child_process.execSync` to execute `openclaw browser` commands, but user-controlled input (e.g., song queries, video IDs) is directly embedded into the shell command strings without proper shell escaping. While URL encoding is applied, it does not prevent shell metacharacters from being interpreted by `execSync`, potentially allowing arbitrary command execution on the host system. There is no evidence of intentional malicious behavior, classifying this as suspicious due to severe vulnerabilities.
Capability Assessment
Purpose & Capability
Name/description (YouTube Music control via browser automation) lines up with the code and SKILL.md: scripts open music.youtube.com, perform searches, and call the OpenClaw browser CLI. Minor inconsistency: SKILL metadata and package.json declare a required env var YOUTUBE_MUSIC_BROWSER_PROFILE, but the main v3 scripts default to the literal profile 'openclaw' and do not actually read that env var, so the declared requirement isn't used by the shipped scripts.
Instruction Scope
SKILL.md and scripts restrict actions to starting/checking the OpenClaw browser and opening YouTube Music search/watch URLs. The code does not attempt to read unrelated system files, request unrelated credentials, or POST data to external personal servers — it controls playback by opening search/watch URLs and relying on YouTube auto-play behavior. Error handling and caching behavior are local.
Install Mechanism
No remote download/install spec is present (instruction- and script-based skill). There are local scripts and Node files bundled with the skill; nothing pulls arbitrary code from external nonstandard hosts at install time, which keeps install risk low.
Credentials
Only declared env var is YOUTUBE_MUSIC_BROWSER_PROFILE and required binary is node — both plausible for a browser-automation skill. However, the code rarely reads that env var (scripts use a hardcoded/default profile 'openclaw'), so the declared env requirement appears unnecessary or misdocumented. No other credentials (API keys, tokens, AWS creds, etc.) are requested.
Persistence & Privilege
The skill does not request 'always: true' and will not be force-included. It creates small local cache files under /tmp (and scripts reference ~/.openclaw in docs) but does not attempt to change other skills' configs or system-wide auth. Local caches are persistent across runs but limited in scope.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install youtube-music-ultra - After installation, invoke the skill by name or use
/youtube-music-ultra - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.0
Major update with extensive documentation and feature overview.
- Added comprehensive SKILL.md with detailed usage, commands, configuration, and advanced features.
- Clarified playback, search, playlist, queue, and information command syntax.
- Documented browser automation with OpenClaw, error handling, and dynamic selector use.
- Listed advanced and planned features, limitations, and example interactions.
- Included quick start info, testing instructions, and dependency notes.
Metadata
Frequently Asked Questions
What is Youtube Music?
Control YouTube Music with natural language. Play, pause, skip, search, manage playlists, and queue tracks. Full playback control via browser automation. It is an AI Agent Skill for Claude Code / OpenClaw, with 472 downloads so far.
How do I install Youtube Music?
Run "/install youtube-music-ultra" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Youtube Music free?
Yes, Youtube Music is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Youtube Music support?
Youtube Music is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Youtube Music?
It is built and maintained by om yarewara (@oki3505f); the current version is v3.0.0.
More Skills