YoinkIt
PassAudited by ClawScan on May 1, 2026.
Overview
YoinkIt is a coherent read-oriented social-media research skill that uses a Yoinkit API token; the main things to notice are the under-declared credential/dependency setup and optional recurring cron examples.
This skill appears safe for its stated purpose if you are comfortable sending social-media URLs, handles, queries, and transcript requests to Yoinkit's API. Before installing, confirm you trust Yoinkit, configure the API token carefully, verify required tools like curl and jq are available, and only enable the bundled cron or Obsidian examples after reviewing exactly what they will run and where they will write.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill must store a Yoinkit API token; if the token or configured API URL is mishandled, Yoinkit account/API access could be exposed.
The scripts send a Yoinkit bearer token to the configured API endpoint. This is expected for a paid Yoinkit integration, but it is still account/API authority the user must protect, and the registry metadata declares no primary credential or required env var.
curl -s -H "Authorization: Bearer $YOINKIT_API_TOKEN" \
Configure the token only in OpenClaw's intended secret/env mechanism, keep YOINKIT_API_URL on the official endpoint unless deliberately testing, and rotate the token if it is exposed.
The installer may not warn users up front that they need an API token and local command-line tooling for the skill to work.
The package metadata under-declares the runtime contract: SKILL.md requires a Yoinkit API token, and the scripts use shell tooling such as curl and jq. The included code is readable and purpose-aligned, so this is a packaging/disclosure note rather than a concern.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Before installing, verify curl and jq are available and expect to configure YOINKIT_API_TOKEN. The publisher should declare these requirements in metadata.
If a user copies these examples, the assistant may periodically query social platforms, summarize findings, announce results, or run follow-up workflows without a fresh manual prompt each time.
The skill includes optional scheduled-agent examples for recurring monitoring. They are disclosed and user-installed, not automatic, but they can make the assistant act on a schedule.
See the `examples/` directory for ready-to-use OpenClaw cron job configurations ... Copy any example and add it via OpenClaw's cron system.
Only add cron examples you actually want, review their schedule, timeout, delivery channel, and requested actions, and disable them when no longer needed.
If enabled, content gathered from social platforms can carry into a later agent run through a local note, which could confuse the assistant if untrusted text is interpreted as instructions.
An optional two-step workflow persists collected social-research data into an Obsidian note and later reads that note to decide which transcripts to pull and what summaries to add. This is purpose-aligned, but persistent notes that include external content should be treated as data, not instructions.
Read today's research collection note from the Obsidian vault ... Update the note ... Save the updated note back to the same file.
Keep the Obsidian workflow scoped to the intended folder/file, review generated notes periodically, and instruct the assistant to treat note contents and transcripts as untrusted source material.