YoudaoNote
v1.0.5有道云笔记官方 skill,支持笔记、待办、网页剪藏等操作。当涉及有道云笔记相关业务时使用此 Skill。
⭐ 1· 294·5 current·5 all-time
by@lephix
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the instructions: the skill calls and documents a youdaonote CLI for note/todo/clip operations. Declared required binary (youdaonote) and no unrelated credentials or tools are requested, which is proportionate to the stated purpose.
Instruction Scope
SKILL.md confines runtime actions to invoking the youdaonote CLI, checking its presence/version, prompting the user for missing installs, and configuring an API key via the CLI. It does not instruct the agent to read unrelated files, exfiltrate data, or perform arbitrary system changes; it explicitly forbids auto-install and modifying shell startup files.
Install Mechanism
There is no automated install spec (instruction-only), and the skill instructs the user to use an 'official' install URL hosted at artifact.lx.netease.com. Because installation is explicitly left to the user (agent must not auto-run remote scripts), risk is low — but users should review the linked install script before piping into a shell.
Credentials
The skill declares no required environment variables, which aligns with metadata. However, it relies on an API key obtained from https://mopen.163.com and sets it via `youdaonote config set apiKey`. That credential is not expressed in requires.env (it's stored in the CLI config), so users should be aware the key will be placed in the CLI's config storage and verify how/where that is persisted.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It explicitly forbids the agent from automatically performing installs or modifying other skills or shell startup files; autonomous invocation remains allowed (platform default) but does not combine with other red flags.
Assessment
This skill is a coherent, instruction-only wrapper around an external youdaonote CLI. Before installing or using it you should: (1) verify the youdaonote binary comes from the official site and inspect the referenced install script (https://artifact.lx.netease.com/...) rather than piping blindly into bash; (2) be aware the skill will ask you to obtain an API key from https://mopen.163.com and run `youdaonote config set apiKey <key>` — check where the CLI stores that key (config file, plaintext) and whether that storage meets your security needs; (3) confirm you are comfortable running the CLI commands the skill will execute or run them manually in a sandbox if needed. The skill itself does not request unrelated credentials or instruct the agent to perform hidden system changes.Like a lobster shell, security has layers — review code before you run it.
latestvk9760zrc3h0mg0daxe99qa8vhs84taqq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsyoudaonote