yapp
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Yapp voice-journal integration, but it would continuously fetch private transcripts and store information from them without clear controls.
Install only if you are comfortable with the agent repeatedly fetching Yapp transcripts and saving selected personal information from them. Ask for clear controls for background polling, memory review/deletion, and API key revocation before relying on it for sensitive journaling.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or incorrectly transcribed journal content could become long-lived agent memory and influence future conversations.
This directs the agent to create persistent memory from raw voice-journal transcripts, without stated limits, review, deletion, or correction controls.
Store any facts, preferences, or commitments the user mentions
Make memory storage opt-in, show users what will be saved, allow editing/deletion, and avoid storing sensitive transcript-derived facts unless explicitly confirmed.
The agent may keep fetching new private voice recordings in the background whenever it is active.
The skill asks for repeated autonomous polling of a private transcript API, rather than only user-initiated checks, and does not define a stop condition or user-controlled cadence.
Polling: Check on every heartbeat. Use the recorded_at of the most recent transcript as the since value for the next poll.
Require explicit user opt-in for background polling, provide a visible enable/disable control, and document the polling frequency and last fetched timestamp.
Anyone or any agent with access to the saved key may be able to retrieve the user's Yapp transcripts.
A Yapp API key is expected for this integration, but it grants access to the user's transcript feed and is stored persistently.
The user will give you a Yapp API key (starts with `yapp_`). Save it to your config.
Only provide the key if you trust the skill, store it securely, and revoke or rotate it if you stop using the integration.
Users have less information to verify who operates the integration before granting access to sensitive recordings.
The registry information does not provide an independently verifiable source or homepage for a skill that requests an API key and accesses personal voice-journal transcripts.
Source: unknown; Homepage: none
Verify the publisher and endpoint with Yapp before installing or providing an API key.