Skillv0.1.0

ClawScan security

YouMind CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 7:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its YouMind CLI purpose, but metadata omits the declared API key requirement and makes assumptions about an installed CLI; those inconsistencies merit caution before installing or providing credentials.
Guidance: This skill appears to do what it says (use the YouMind CLI to discover schemas and call APIs), but the SKILL.md expects a YOUMIND_API_KEY and an installed youmind CLI while the registry metadata does not declare any required env vars or install steps. Before installing or enabling: 1) verify the youmind CLI/package source (check the referenced repo and npm package @youmind-ai/cli), 2) only provide a YouMind API key with least privilege and consider creating a dedicated key for this skill, 3) be aware the agent will run youmind commands that transmit data to YouMind, and 4) if you need automated install, prefer adding an explicit install spec or confirm the environment already has the CLI to avoid surprises. If the missing API-key declaration concerns you, ask the skill author to update metadata to explicitly require YOUMIND_API_KEY (or document alternate auth) before use.

Review Dimensions

Purpose & Capability: okThe name/description and SKILL.md consistently describe using the official youmind CLI to discover schemas and call YouMind APIs. The commands and APIs listed align with the stated capabilities (boards, notes, materials, chats, etc.).
Instruction Scope: noteThe SKILL.md contains clear, narrow runtime instructions (search, info, call) that stay within the stated YouMind domain. It also assumes the CLI is installed at ~/.local/bin/youmind and shows an npm install command; because the skill is instruction-only (no install spec), this assumption could be inaccurate in some environments and may cause the agent to attempt PATH changes or to instruct users to run npm install.
Install Mechanism: okNo install spec or code files are included; the skill is instruction-only. That minimizes direct code-write risk. The SKILL.md references an npm install command as an example, but the registry includes no automated install step.
Credentials: concernThe runtime instructions require an API credential (YOUMIND_API_KEY) or --api-key to authenticate, but the registry metadata declares no required environment variables or primary credential. This metadata omission is inconsistent and important: the skill will need a YouMind API key to perform actions, and that key would be actively used by CLI commands. The skill does not request unrelated credentials, but the missing declaration reduces transparency about what secrets are needed.
Persistence & Privilege: okThe skill is not always-enabled, does not request system-wide configuration changes, and has no install-time persistence. It does allow autonomous invocation (the platform default), which combined with an API key would let the agent call YouMind APIs — expected for this skill but something to be aware of.