YoinkIt
v1.0.8Search, analyze, and transcribe content across 13 social platforms — trending topics, video transcripts, post metadata, and multi-platform research workflows.
⭐ 3· 801·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be an OpenClaw integration for multi-platform social research, which fits the included scripts. However the registry metadata lists no required environment variables or credentials, while the SKILL.md and all scripts clearly require YOINKIT_API_TOKEN (and optionally YOINKIT_API_URL). The metadata also claims no required binaries but the scripts assume standard CLI tools (curl, jq). This mismatch between what the skill actually needs and what the metadata declares is incoherent.
Instruction Scope
The SKILL.md and examples instruct the agent to call the Yoinkit API (network requests) and the example cron jobs include operations to read and update local Obsidian vault files (read/write paths like Research/Daily/YYYY-MM-DD-collection.md). The code files themselves operate on arguments and make API calls, but the examples expect the agent to access local files and save results back — that local file access is not declared in required config paths. The agent could therefore transmit local note contents to the external API or other channels if scheduled, which is beyond what's declared.
Install Mechanism
There is no install spec (instruction-only from a registry perspective), which reduces install-time risk. However the package includes multiple shell scripts that will be executed by the agent runtime. No remote downloads or opaque installers are present. The scripts rely on curl and jq but the registry metadata did not declare these required binaries — a mismatch to be corrected but not inherently high-risk.
Credentials
The skill legitimately needs a single service credential (YOINKIT_API_TOKEN) and optionally YOINKIT_API_URL to point at a server, which is proportionate to its stated purpose. But the registry metadata does not declare any required env vars or primary credential, so the required secret is omitted from the declared surface. Additionally, examples and SKILL.md allow YOINKIT_API_URL to be pointed at localhost or custom endpoints — useful for testing but potentially abused to redirect agent traffic to arbitrary servers if misconfigured.
Persistence & Privilege
The skill is not force-installed (always: false) and uses the normal agent-invocable behavior. The examples include cron jobs (scheduled autonomous runs) and delivery channels (e.g., telegram), which is expected for a research/monitoring skill. This is acceptable, but combined with the above inconsistencies (undeclared env var and instructions to read/write local notes), scheduled autonomous runs increase the impact of any misconfiguration or malicious endpoint.
What to consider before installing
Do not install blindly. Key issues: (1) The registry metadata does not list the required YOINKIT_API_TOKEN (and doesn't declare required binaries like curl/jq), but the scripts and SKILL.md clearly require that token and make network requests to https://yoinkit.ai (or a user-set YOINKIT_API_URL). (2) Several example cron jobs instruct the agent to read and update local Obsidian files — the skill does not declare required config paths for that. Before installing, ask the publisher to: publish a homepage/source repo, correct the registry metadata to list YOINKIT_API_TOKEN and required binaries, and explicitly document what local files (if any) the skill will read or write. Verify the yoinkit.ai API domain (and ask for a privacy/data-retention policy). If you proceed, only give the token to the skill after confirming the provider, and avoid scheduling jobs that grant the agent blanket access to sensitive local files or external channels (e.g., Telegram) until you trust the publisher. If you want higher assurance, request the upstream source code repository and confirm that API calls only send the minimal required fields (URLs/ids and not arbitrary local note contents) before enabling automated cron jobs.Like a lobster shell, security has layers — review code before you run it.
latestvk971hf7trqght9qegvp4bwtxnd8198r2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.