Back to skill
Skillv1.6.2
ClawScan security
Yuboto Omni API Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 11:33 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests, scripts, and documented runtime behavior are coherent with its stated purpose (working with the Yuboto/Octapush Omni API) and its only required secret (OCTAPUSH_API_KEY) is appropriate for that purpose.
- Guidance
- This package appears internally consistent for integrating with Yuboto/Octapush. Before installing or running: 1) Only provide an API key issued by Yuboto/Octapush (OCTAPUSH_API_KEY); storing it via OpenClaw config is recommended over exporting it to your shell. 2) Be aware the CLI creates persistent state/log files under $XDG_STATE_HOME or ~/.local/state/openclaw/yuboto-omni-api — full message payload storage is off by default but can be enabled with YUBOTO_STORE_FULL_PAYLOAD. 3) The scripts contact api.yuboto.com (and refresh_swagger.py fetches the live swagger). If you will run poll-pending on a schedule, review poll_pending.sh and confirm the environment it runs under has only the intended API key and permissions. 4) If you plan to override YUBOTO_BASE_URL or provide callback URLs, verify those endpoints are trusted to avoid inadvertent data transmission. If you want higher assurance, inspect/run the scripts in a restricted environment (or review the bundled files) before giving the API key to the skill.
Review Dimensions
- Purpose & Capability
- okName/description ask for Yuboto/Octapush API integration and the skill requires python3 plus OCTAPUSH_API_KEY — both expected and proportional. Declared binaries, env var names, and the provided client/CLI scripts directly implement the described functionality (balance, cost, send, DLR, history, poll).
- Instruction Scope
- okSKILL.md instructs running the included Python scripts, consulting the bundled Swagger JSON, and storing the API key in OpenClaw or an env var. The runtime instructions and helper scripts only access the API host (https://api.yuboto.com by default), documented state/log dirs, and declared env vars. There is no instruction to read unrelated system files or secrets, and scripts explicitly avoid sourcing .env files.
- Install Mechanism
- okThere is no install script; the package is script-and-docs based and uses only Python standard library (urllib) and shell. No external download-of-code-from-arbitrary-URLs or package installs are performed by the skill itself.
- Credentials
- okThe only required credential is OCTAPUSH_API_KEY (primaryEnv). Optional env vars are documented and relate to runtime behavior (state/log dirs, test number, default sender, base URL, payload storage). No unrelated credentials are requested.
- Persistence & Privilege
- noteThe skill persists runtime state and logs outside the skill directory by default (XDG_STATE_HOME or ~/.local/state/openclaw/yuboto-omni-api). Defaults are privacy-minimizing (full payload persistence is disabled by default), but the user can enable full payload storage via YUBOTO_STORE_FULL_PAYLOAD=true. The skill does not request always:true and does not modify other skills.