Save Link & Web Clipper
Security checks across malware telemetry and agentic risk
Overview
This appears to be a real YouMind web clipper, but it grants broader shell and code-execution permissions than are needed just to save links.
Install this only if you are comfortable using YouMind, storing selected URLs there, and providing a YouMind API key. Before use, consider restricting or reviewing the broad `node -e *` and `youmind *` tool permissions, and approve any global npm installation yourself.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused by the agent, this permission could run local JavaScript that reads files or environment variables, writes files, or makes network requests.
The skill grants permission to run arbitrary Node.js one-liners, but the documented workflow does not explain why dynamic local code execution is needed to save a URL.
allowed-tools: - Bash(node -e *)
Remove `Bash(node -e *)` unless it is strictly necessary, or replace it with a narrow, documented command that cannot execute arbitrary code.
The agent may have more YouMind account authority than the narrow save-link task requires, increasing the impact of mistakes or prompt confusion.
The allowed command pattern permits broad YouMind CLI use, while the workflow only requires specific calls such as `getDefaultBoard`, `listBoards`, and `createMaterialByUrl`.
allowed-tools: - Bash(youmind *)
Constrain allowed commands to the exact YouMind CLI operations required for this workflow and require confirmation for any other account-mutating action.
Installing the CLI changes the local environment and trusts the npm package source.
The skill relies on installing a global npm CLI package. This is central to the stated purpose, but it is an external dependency and is not pinned in the artifact.
npm install -g @youmind-ai/cli
Install the CLI only from the expected npm package, review it if needed, and prefer a pinned or verified version where possible.
Anyone or any process with access to this API key may be able to act on the user's YouMind account according to the key's permissions.
The skill requires a YouMind API key to operate on the user's YouMind account, which is expected for saving links to a private board.
primaryEnv: YOUMIND_API_KEY requires: anyBins: ["youmind", "npm"] env: ["YOUMIND_API_KEY"]
Use a dedicated YouMind API key with the least permissions available, store it outside chat, and rotate it if exposed.
Private or sensitive URLs may become part of the user's YouMind board and could be processed or retained by that service.
The skill persistently stores user-selected URLs in a YouMind knowledge base, which is the intended feature but still affects data retention.
Articles, videos, documents — anything with a URL gets saved and organized in your personal knowledge base.
Only save links you are comfortable storing in YouMind, especially if they contain private tokens, confidential documents, or non-public resources.