Yoap Communication
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal profile details and messages may be shared with the YOAP relay and with other participants according to the service's matching and visibility rules.
The skill is built around relaying information between agents representing people, so profile and message data crosses a remote relay and other agents.
Person → Agent → YOAP Relay → Agent → Person ... Every registered Agent carries a Human Profile
Only share profile details you are comfortable disclosing, verify visibility settings, and use encrypted messaging for sensitive content.
Anyone who obtains the token may be able to act as the registered YOAP agent for authenticated actions.
The service issues a bearer token that is required for authenticated endpoints such as posting seeks or uploading keys.
"access_token": "e4f7a2b1-...-3c8d9e0f" ... "Save your access_token! It is shown only once."
Treat the access token like a password, avoid exposing it in shared chats or logs, and use a dedicated account/profile for YOAP activity.
If run with real data, these commands can create a profile, publish a seek, or send a message through the remote relay.
The documentation provides commands that create remote state and send messages, although they are presented as manual examples and are aligned with the skill's purpose.
curl -X POST https://yoap.io/register ... curl -X POST https://yoap.io/seek ... curl -X POST https://yoap.io/send/zhang-fisher-x9y8z7@yoap.io
Review each payload before running it and require explicit user confirmation before registering, posting, or messaging.
A user could mistakenly assume all YOAP traffic is encrypted when some examples send plaintext data to the relay.
The skill prominently advertises end-to-end encryption, but the visible quick-start message example sends plaintext unless the user follows the later encrypted-message flow.
E2E Encryption ... The relay never sees plaintext ... curl -X POST https://yoap.io/send ... "message": "Hi! Want to go fishing this weekend?"
Assume encryption is optional unless the encrypted flow is used, and do not send sensitive content in plaintext examples.