Tal Im
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate Yach enterprise integration, but it is powerful and should only be configured with trusted, least-privilege credentials.
Install only if you are an authorized TAL/Yach user or administrator. Configure a least-privilege Yach app, enable allowlists where possible, protect ~/.openclaw/identity, and carefully review approvals for mail, document deletion, group membership, scheduling, meeting, and attendance actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Configuring this skill can let an agent act through a Yach robot app and, if QR login is completed, through the user's personal Yach session.
The plugin requires robot credentials and can optionally store a personal QR session; the docs also acknowledge broad enterprise resource access. This is sensitive but clearly tied to the stated Yach integration.
AppKey(必须)... AppSecret(必须)... QR 扫码 session(可选)... 机器人凭证可访问全员日历、文档、OKR
Use a least-privilege Yach app, avoid configuring personal QR sessions on shared machines, and revoke/rotate credentials when no longer needed.
If approved, the agent can perform irreversible or externally visible actions in corporate systems.
The code registers tools that can delete documents, send mail, remove group members, cancel events/meetings, and write attendance records, while marking them high risk for approval.
const highRisk = ['yach_doc_delete', 'yach_mail_send', 'yach_group_remove_members', 'yach_schedule_cancel', 'yach_meeting_cancel', 'yach_attendance_punch_offduty']; ... risk: 'high'
Keep approval prompts enabled, verify recipients/document IDs/group IDs before approving, and restrict who can invoke the channel.
Once the gateway is running, the plugin can continue receiving and responding to Yach messages until disabled or stopped.
The plugin starts a long-running channel monitor when the gateway is active. This is expected for an IM channel integration, but it is persistent background behavior.
if (connectionMode === 'channel') { return monitorChannel({ account, cfg: opts.cfg, logger }); }Disable the channel or stop the gateway when not in use, and configure pairing/allowlists for permitted users and groups.
Users relying only on registry metadata may not realize the plugin needs Yach AppKey/AppSecret and may optionally store a personal QR login session.
The registry metadata does not declare the credentials that SKILL.md and the setup wizard require. This is a metadata clarity gap, not hidden credential use, because the docs disclose the requirements.
Required env vars: none; Primary credential: none; Install specifications: No install spec
Read the SKILL.md/setup prompts before installing and update registry metadata to reflect the required Yach credentials.