Yuboto Omni API Assistant
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill coherently supports Yuboto/Octapush messaging with the expected API key, but it can send real or bulk SMS and keep local message state, so use it with clear recipient and credential controls.
Install this only if you intend OpenClaw to help with Yuboto/Octapush messaging. Protect OCTAPUSH_API_KEY, verify recipients and costs before using send-sms or send-csv, keep local state/logs private, and confirm the flagged documentation file does not contain any real API key.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the wrong recipients, sender, or CSV file, it could send unwanted messages and incur Yuboto/Octapush account costs.
The skill exposes purpose-aligned commands that send real SMS messages, including bulk sending from a CSV file.
`send-sms --sender <approved_sender> ... --to +30...` and `send-csv --file contacts.csv ...`
Use these commands only after explicitly confirming the sender, recipients, message text, estimated cost, and batch size; test with a small recipient list first.
Anyone or any process with this API key could perform actions allowed by the Yuboto account, including sending messages.
The scripts use the configured API key as an Authorization header for Yuboto API requests, which is expected but grants account access.
"Authorization": self._build_auth_header(config.api_key)
Store the key via OpenClaw config or environment variables, avoid passing it on the command line, rotate it if exposed, and do not set the base URL override to an untrusted host.
Local state may reveal message IDs, timestamps, status, recipient counts, and, if full persistence is enabled, message text or recipients.
The skill keeps persistent local message tracking data and can optionally retain fuller message payload details.
Sent log rotates to last `5000` lines ... State index keeps up to `5000` tracked IDs ... Full payload/text/recipient persistence is **off** by default ... `YUBOTO_STORE_FULL_PAYLOAD=true`
Keep the state directory private, leave full payload persistence disabled unless needed, and reduce retention limits if local message history should not be kept.
Users have less context for verifying who maintains the skill or comparing the packaged scripts against an upstream source.
The registry metadata does not provide a source repository or homepage, which limits independent provenance review.
Source: unknown; Homepage: none
Review the included scripts before use and prefer a version with a verifiable source repository when available.