YouMind Blog Cover
Security checks across malware telemetry and agentic risk
Overview
The skill’s main YouMind image-generation workflow is coherent, but it asks for broader local code-execution permission than the documented workflow appears to need.
Before installing, be comfortable using a YouMind API key, sending article topics or URLs to YouMind, and installing the YouMind CLI from npm. The main functionality appears aligned with the description, but the skill should ideally remove or narrowly justify the broad node -e and node scripts/* execution permissions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent follows or invents commands under these permissions, it could run local JavaScript beyond what is needed to generate a blog cover.
These allowed-tool patterns permit dynamic Node.js one-liners and execution of scripts, but the documented workflow is to call the YouMind CLI for image generation and the manifest contains no scripts directory.
allowed-tools:\n - Bash(node -e *)\n - Bash(node scripts/*)
Narrow the allowed tools to the specific YouMind CLI commands needed, remove node -e and node scripts/* unless strictly necessary, or include reviewed helper scripts with tightly scoped invocation.
Installing the CLI adds software from npm to the user’s environment.
The skill instructs users to install an external npm package globally. This is central to the stated YouMind integration, but users should recognize the package provenance and global install scope.
npm install -g @youmind-ai/cli
Install only from the official package source, consider pinning a trusted version in controlled environments, and review the CLI before use if handling sensitive content.
The skill can use the configured YouMind account to create chats and save generated images.
The skill requires a YouMind API key to operate under the user’s YouMind account. This is expected for the provider integration and no artifact shows hardcoded, logged, or unrelated credential use.
primaryEnv: YOUMIND_API_KEY\nrequires:\n anyBins: ["youmind", "npm"]\n env: ["YOUMIND_API_KEY"]
Use an API key intended for this service, do not paste it into chat, and revoke or rotate it if no longer needed.
Article topics, URLs, or other prompt context may be stored in YouMind along with the generated cover image.
The workflow persists generated outputs, and likely the user-provided title/topic/URL prompt context, in the user’s YouMind board. This is disclosed and purpose-aligned.
Generated images are saved to your YouMind board automatically.
Avoid submitting sensitive unpublished material unless you are comfortable storing it in YouMind.
A background task may continue checking YouMind status after the main chat responds.
The skill may start a background subagent to poll for image-generation completion. The polling is disclosed and bounded by the documented 120-second timeout.
MANDATORY: If the agent platform supports subagents or background tasks, spawn a subagent for polling. Return control to the user immediately.
Ensure the user is informed when background polling starts, keep the timeout enforced, and provide a way to stop or ignore the background task.