Yutori research
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward Yutori web-research integration, but it uses your Yutori API key and sends research or browsing tasks to Yutori's cloud service.
Use this skill if you are comfortable sending the requested research or browsing task to Yutori. Provide a limited-scope Yutori API key, verify YUTORI_API_BASE points to the intended Yutori dev or production endpoint, avoid confidential prompts unless approved, and require confirmation before any browsing task submits forms or changes website/account state.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can spend or access whatever your Yutori API key permits for Research/Browsing tasks.
The runner uses a Yutori API key from the environment or OpenClaw config and sends it as an authentication header. This is purpose-aligned, but it uses account/API authority.
const API_KEY = process.env.YUTORI_API_KEY ?? loadKeyFromOpenClawConfig(); ... "x-api-key": API_KEY
Use a Yutori key with only the needed permissions and confirm YUTORI_API_BASE is set to the intended dev or production Yutori endpoint.
Sensitive research prompts, URLs, or extracted content may be processed by Yutori's cloud service.
Research prompts plus timezone/location context are sent to a cloud API endpoint. This is expected for a cloud research service, but it means task contents leave the local agent.
const API_BASE = process.env.YUTORI_API_BASE ?? "https://api.dev.yutori.com"; ... body: JSON.stringify({ query, user_timezone, user_location })Do not include confidential data unless you are comfortable sending it to Yutori, and set the production endpoint if you do not intend to use the default dev endpoint.
A poorly specified browsing task could interact with websites in ways the user did not intend.
The skill can delegate web navigation and form interaction to a cloud browser. This fits the stated browsing purpose, but website actions should remain explicitly user-requested.
Use the Browsing API when the user asks: ... “Fill a form / click through pages / collect items”
Give narrow browsing instructions and require confirmation before submitting forms, posting content, purchasing, logging in, or changing account data.
Install-time metadata may not warn that the skill needs a Yutori API key.
The registry metadata does not advertise the Yutori API key requirement even though SKILL.md and the script disclose and require it. This is an under-declaration, not hidden behavior.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Treat this skill as requiring YUTORI_API_KEY and optionally YUTORI_API_BASE despite the metadata omission.