ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YouMind

v2.0.1

Use this skill when users need Youmind board operations via API (list/find/create boards, add links/files, chat, generate image/slides/docs, extract artifact...

5· 753·2 current·2 all-time
byCavano@p697
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements board, material, chat, upload, and artifact extraction APIs that match the skill description. Authentication is implemented via browser CDP cookies or a saved state.json as described. However, the package also bundles browser automation utilities and an automatic environment/bootstrap step that installs dependencies and a Chrome binary (via patchright), which is more than a minimal API client would normally require.
!
Instruction Scope
SKILL.md restricts browser usage to auth bootstrap/refresh and states business ops are API-only, which aligns with most code. But scripts/__init__.py executes on import and will automatically create a .venv, pip-install requirements, and invoke 'patchright install chrome' — this causes network downloads and local writes without an explicit install spec in the registry or a clear upfront warning in SKILL.md. That implicit automatic installation and browser install is out-of-band relative to the simple CLI examples and could be unexpected.
!
Install Mechanism
There is no declared install spec in the registry, yet on import scripts/__init__.py will create an isolated venv and run pip install -r requirements.txt and python -m patchright install chrome. This triggers network downloads and writes files/binaries to disk (including a Chrome binary via patchright). Implicit downloads of a browser binary and dependency installation raise a moderate-to-high risk surface compared with a truly 'instruction-only' skill.
Credentials
The skill requests no environment variables or external credentials in registry metadata. The code relies on Youmind cookies obtained either via a local OpenClaw browser/CDP (127.0.0.1:18800) or a local state.json file; these cookies are sensitive session credentials stored under data/ (auth_info.json / browser_state/state.json). That is proportionate to the stated purpose but requires caution because session cookies grant access to the user's Youmind account and are persisted locally.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a local .venv/ and data/ directory inside the skill tree and may cause a Chrome binary installation via patchright. Those are local persistence actions limited to the skill workspace, but they are notable and may be undesired in some environments.
What to consider before installing
This skill is functionally consistent with its Youmind API claims, but it has two noteworthy surprises: (1) importing or running its Python scripts will auto-create a .venv, pip-install dependencies, and run 'patchright install chrome', which downloads/installs a browser binary and any pip packages; (2) it reads and stores Youmind session cookies (via CDP or state.json) under data/, which are sensitive account credentials. Before installing or running: 1) Review scripts/__init__.py and remove or modify the auto-install behavior if you don't want automatic network installs. 2) Run the skill in an isolated environment (container/VM) or sandbox. 3) Use a dedicated Youmind account (not your primary/org account) for automation. 4) Inspect data/ after use and securely delete saved cookies if desired. 5) If you cannot audit or accept the automatic Chrome/download behavior, do not run the package on a high-privilege machine or network.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3yr7jbb3nzr4887xpwggc98260sh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Youmind API Skill (API-Only Runtime)

Use HTTP APIs for business operations. Do not use browser fallback for board/material/chat actions.

Runtime Rules

  • API-only for boards, materials, chat, and artifact extraction.
  • Browser automation is only allowed for auth bootstrap/refresh (auth_manager.py).
  • For board-scoped commands, prefer --board-id; --board-url is also supported in material/chat/artifact/wrapper commands.

Authentication

python3 scripts/run.py auth_manager.py status
python3 scripts/run.py auth_manager.py validate
python3 scripts/run.py auth_manager.py setup
python3 scripts/run.py auth_manager.py reauth
python3 scripts/run.py auth_manager.py clear

Board Commands

python3 scripts/run.py board_manager.py list

python3 scripts/run.py board_manager.py find --query "roadmap"

python3 scripts/run.py board_manager.py get --id <board-id>

python3 scripts/run.py board_manager.py create --name "My Board"
python3 scripts/run.py board_manager.py create --name "My Board" --prompt "Initialize this board for AI coding agent research"

Material Commands

python3 scripts/run.py material_manager.py add-link --board-id <board-id> --url "https://example.com"
python3 scripts/run.py material_manager.py add-link --board-url "https://youmind.com/boards/<id>" --url "https://example.com"

python3 scripts/run.py material_manager.py upload-file --board-id <board-id> --file /path/to/file.pdf

python3 scripts/run.py material_manager.py get-snips --ids "<snip-id-1>,<snip-id-2>"

python3 scripts/run.py material_manager.py list-picks --board-id <board-id>

Chat Commands

python3 scripts/run.py chat_manager.py create --board-id <board-id> --message "Summarize key ideas"

python3 scripts/run.py chat_manager.py send --board-id <board-id> --chat-id <chat-id> --message "Give next steps"

python3 scripts/run.py chat_manager.py history --board-id <board-id>
python3 scripts/run.py chat_manager.py detail --chat-id <chat-id>
python3 scripts/run.py chat_manager.py detail-by-origin --board-id <board-id>
python3 scripts/run.py chat_manager.py mark-read --chat-id <chat-id>

python3 scripts/run.py chat_manager.py generate-image --board-id <board-id> --prompt "Minimal blue AI poster"
python3 scripts/run.py chat_manager.py generate-slides --board-id <board-id> --prompt "6-page AI coding agent roadmap"
python3 scripts/run.py chat_manager.py create --board-id <board-id> --message "Write a 1-page product brief"

Artifact Extraction

python3 scripts/run.py artifact_manager.py extract --chat-id <chat-id>
python3 scripts/run.py artifact_manager.py extract-latest --board-id <board-id>
python3 scripts/run.py artifact_manager.py extract-latest --board-url "https://youmind.com/boards/<id>"
python3 scripts/run.py artifact_manager.py extract --chat-id <chat-id> --include-raw-content

Extraction semantics:

  • image_generate: returns image URLs and media_ids.
  • slides_generate: returns per-slide image URLs and media_ids (no direct .pptx file URL currently).
  • write: returns page_id, preview content, and optional raw doc content with --include-raw-content.

Compatibility Wrapper

python3 scripts/run.py ask_question.py --board-id <board-id> --question "..."
python3 scripts/run.py ask_question.py --board-url "https://youmind.com/boards/<id>" --question "..."
python3 scripts/run.py ask_question.py --board-id <board-id> --chat-id <chat-id> --question "..."

Local Data

Local auth state:

data/
├── auth_info.json
└── browser_state/
    └── state.json

Do not commit data/.

Files

26 total
Select a file
Select a file to preview.

Comments

Loading comments…