v1.0.1

YouMind Blog Cover

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:27 AM.

Analysis

The skill mostly matches its blog-cover purpose, but it also grants unnecessary local Node execution permissions that are broader than needed.

GuidanceReview the extra Node command permissions before installing. If you proceed, use a dedicated YouMind API key where possible, do not paste the key into chat, and avoid submitting sensitive unpublished article details unless you trust YouMind to process them.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

SKILL.md

allowed-tools:
  - Bash(node -e *)
  - Bash(node scripts/*)

These permissions allow arbitrary inline Node execution and running local scripts, but the documented workflow only uses `youmind`, `npm install`, and an environment-variable check.

User impactIf an agent used these permissions, it could run local JavaScript commands unrelated to generating a blog cover.

RecommendationRemove the `node -e` and `node scripts/*` tool permissions unless a specific, reviewed, purpose-bound command is required.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

references/setup.md

npm install -g @youmind-ai/cli

The skill asks the user to globally install an external npm CLI package. This is purpose-aligned, but the artifact does not pin a version.

User impactInstalling the CLI gives that external package code execution on the local machine during installation and use.

RecommendationInstall only if you trust the YouMind CLI source, and consider pinning or verifying the package version in managed environments.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

If the agent platform supports subagents or background tasks, spawn a subagent for polling. Return control to the user immediately.

The skill can create a background polling task, but the provided polling rules bound it to 5-second polling with a 120-second timeout.

User impactThe agent may keep checking image-generation status after the main response returns.

RecommendationEnsure the background task is limited to the documented polling action and stops after the stated timeout.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

primaryEnv: YOUMIND_API_KEY
requires:
  anyBins: ["youmind", "npm"]
  env: ["YOUMIND_API_KEY"]

The skill requires a YouMind API key to act on the user's YouMind account, which is expected for creating and saving generated images.

User impactThe skill can use the configured YouMind account to create chats and save generated images to the user's board.

RecommendationUse an API key intended for this service, keep it out of chat history, and revoke or rotate it if no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

youmind call createChat '{"boardId":"<boardId>","message":"<optimized-prompt>","tools":{"imageGenerate":{"useTool":"required","aspectRatio":"16:9"}}}'

The user's article title, topic, or URL is incorporated into a prompt sent to the external YouMind service for image generation.

User impactPrivate article ideas, URLs, or unpublished topics may be sent to YouMind and associated with the user's board.

RecommendationAvoid sending sensitive unpublished content unless you are comfortable processing it through YouMind.