ClawHub

YoinkIt

Security checks across malware telemetry and agentic risk

Overview

Yoinkit is a coherent social-media research skill that sends user-provided social URLs, handles, and search topics to the Yoinkit API as expected for its purpose.

Install only if you are comfortable sending social media URLs, account handles, search terms, and research topics to Yoinkit using your API token. Avoid private links, sensitive account identifiers, or confidential research topics unless Yoinkit's privacy and retention practices meet your needs, and review optional cron examples before enabling automated monitoring or Obsidian note writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes broad cross-platform collection, transcript extraction, and automated research workflows but provides no privacy, consent, retention, or acceptable-use guidance. In a skill designed to aggregate user-generated content across many platforms, this omission increases the risk of operators collecting personal data, processing transcripts unlawfully, or using the tool in ways that violate platform terms or privacy expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends user-supplied queries, URLs, handles, and research topics to the Yoinkit service, but the description does not clearly warn users that these inputs are transmitted to a third-party API. This creates a privacy and data-handling risk because users may paste sensitive links, account identifiers, or research topics without informed consent, especially given the skill's broad natural-language workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a user-supplied social media URL to a third-party API service, but it provides no explicit user-facing notice that the full URL will be transmitted off-host. Because social URLs can contain private identifiers, tracking parameters, or links to non-public content, this can result in unintended data disclosure to the external service. In the context of a content-retrieval skill, this behavior is expected, but the lack of disclosure and minimization still makes it a genuine privacy/security issue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits the user-supplied video URL to the remote yoinkit API, which can expose sensitive watch links, private or internal URLs, or research targets without explicit disclosure at runtime. In a CLI skill focused on transcript extraction this behavior is functionally expected, but the lack of clear user notice and consent still creates a real privacy and data-handling risk rather than a purely theoretical issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal