ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

youclaw

v1.2.0

有米云智能营销分析助手,深度拆解广告创意,挖掘品牌投放策略,支持创意策略讨论、营销策略探讨。触发:关键词 分析品牌, 品牌分析, 策略探索, 投放策略, 创意质询, 压力测试;命令 /youclaw、/youmiyun、/creative-chat、/grill-chat、/grill-youclaw、/grill

0· 198·0 current·0 all-time
byyoucloud@sheire977

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sheire977/youclaw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "youclaw" (sheire977/youclaw) from ClawHub.
Skill page: https://clawhub.ai/sheire977/youclaw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: YOUCLOUD_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install youclaw

ClawHub CLI

Package manager switcher

npx clawhub@latest install youclaw
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is a marketing/creative analysis assistant and only requires a YOUCLOUD_API_KEY and a single HTTP endpoint (aichat.youshu.youcloud.com). Those requirements are consistent with the described purpose.
!
Instruction Scope
SKILL.md instructs the agent to: accept an API key sent in chat, overwrite and read a local config.json, save session_id for follow-ups, and enforce a policy of not sending any interim messages while waiting up to 600s for the API. Asking users to paste secrets into conversation and saving them unqualified to disk (config.json) is a privacy risk; the 'no interim messages' rule is unusual and could hide long-running activity or errors from the user.
Install Mechanism
Instruction-only skill with no install spec or code files. Nothing is downloaded or written by an installer step beyond what the SKILL.md runtime instructs (reading/writing config.json).
Credentials
Only one required env var (YOUCLOUD_API_KEY) is declared, which matches the API usage. However, the skill explicitly offers users the alternative of sending the key in-chat and states it will save it locally—this is a sensitive flow that increases exposure of the credential compared to using an env var.
Persistence & Privilege
The skill does persist state (saving api_key and session_id to config.json). It does not request system-wide privileges or set always:true. Persisting secrets/session IDs is not inherently malicious but should be transparent (location, permissions, encryption).
What to consider before installing
This skill otherwise appears coherent with its stated purpose, but take precautions before installing: - Prefer setting YOUCLOUD_API_KEY as an environment variable rather than pasting it into chat. Do not send secrets in conversation unless you trust the publisher. - Ask the vendor where config.json is stored, whether the key is encrypted at rest, and whether session IDs are persisted; consider using a limited-scope/test key. - The SKILL.md’s instruction to avoid any interim messages while waiting up to 600s is unusual—be aware long requests will appear to 'freeze' the conversation until the API responds. - If you must proceed, audit the saved config.json file, restrict its filesystem permissions, and rotate the API key if you later uninstall or stop trusting the skill. If you want, I can suggest specific questions to ask the publisher about storage/encryption or a safer policy text to propose before you install.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📊 Clawdis
EnvYOUCLOUD_API_KEY
latestvk970c255c84n380zrr670s4jdd85er5g
198downloads
0stars
3versions
Updated 3d ago
v1.2.0
MIT-0
youcloud@sheire977
latest
Download

youclaw

有米云智能营销分析助手,对接有数AI API,可深度拆解广告创意、挖掘品牌投放策略,也可针对广告创意进行深度质询与压力测试,激发符合算法逻辑的优质创意。

权限说明

仅对有米有数 策略版策略 pro 版至尊版用户开放。获取API Key方式:登录有数 → 个人中心 → 企业信息。

触发方式

  • 关键词:分析品牌、品牌分析、策略探索、投放策略、创意质询、压力测试、创意激发、创意打磨
  • 命令:
    • /youclaw/youmiyun → 调用Skill,自动判断模式
    • /creative-chat → 强制走策略探索模式
    • /grill-chat/grill-youclaw/grill → 强制走灵感激发模式

执行流程

  1. 检查API Key(按优先级):

    • 当前对话用户提供了新Key → 覆盖config.json → 继续
    • 本地config.json已有Key → 直接读取 → 继续
    • 本地为空 → 读取环境变量YOUCLOUD_API_KEY
      • 为空 → 提示用户配置: 
        请先配置API Key:
1. 登录有数 → 个人中心 → 企业信息获取API Key
2. 选项一:配置为OpenClaw环境变量 YOUCLOUD_API_KEY;选项二:直接发送给我,我帮你保存到本地。
      • 有值 → 保存到config.json → 继续
    • ✅ 规则:没有有效 API Key,绝不发送请求

  2. ⚠️ 强制红线规则(公共Skill必须严格遵守)

    • API 请求超时为 600秒,包括 tool exec 和 curl 等
    • 🔴 绝对禁止:未到超时时间不得中断请求,不得提前给用户发送任何「正在处理」「需要等待」「结果出来后告诉你」这类消息
    • 必须:一直等待API返回结果,拿到完整结果后再一次性回复给用户
    • 只有两种情况允许发消息:
      1. API返回了完整分析结果 → 直接输出结果
      2. API超时/请求报错 → 输出错误提示

  3. 确定chat_mode:

    • 强制模式(命令触发优先):
      • /creative-chat → 强制 策略探索模式(chat_mode=2) → 直接输出完整分析报告
      • /grill-chat/grill-youclaw/grill → 强制 灵感激发模式(chat_mode=5) → 渐进式追问深度打磨
    • 自动判断(关键词/内容触发):
      • 规则一(关键词优先): 用户输入包含「打磨、讨论、探讨、质询、压力测试、创意激发、深入聊聊」→ 走灵感激发模式(chat_mode=5)
      • 规则二(内容判断):
        • 内容简短(仅给出产品/品牌,没有明确说要讨论)→ 默认走策略探索模式(chat_mode=2) → 直接输出完整报告
        • 内容已经具体,用户明确问"怎么改进、如何做、帮我看看、一起聊聊" → 走灵感激发模式(chat_mode=5)
    • 总结: 命令可以强制指定模式,没有命令则自动判断;默认出完整方案,明确要讨论才进入渐进追问
    • 调用API,响应返回后直接展示结果。

  4. 跟进处理

    • 相关跟进提问(关于之前的分析/创意打磨) → 复用之前的session_id不传chat_mode(沿用会话已有模式)
    • 新的分析/创意请求 → 开启新会话,不携带session_id,传chat_mode

API Specification

  • URL: https://aichat.youshu.youcloud.com/aichat/claw
  • Method: POST JSON
  • Headers: Authorization: Bearer {KEY}, Content-Type: application/json
  • Parameters:
    • input: User question (required)
    • session_id: For follow-up questions, omit for new conversations
    • chat_mode: Chat mode, 2=策略探索(直接出完整报告),5=灵感激发(渐进式质询打磨)。仅新对话(无session_id时)需要传,连续对话不传,沿用会话已有模式
  • Response: Output output (markdown) as-is, DO NOT modify; save session_id for future follow-ups
  • Timeout: ≥600s

PowerShell 调用模板

[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
$apiKey = (Get-Content config.json | ConvertFrom-Json).api_key
$body = @{input="Your analysis request"; chat_mode=2} | ConvertTo-Json -Compress
$params = @{
    Uri = "https://aichat.youshu.youcloud.com/aichat/claw"
    Method = "Post"
    ContentType = "application/json; charset=utf-8"
    Headers = @{Authorization="Bearer $apiKey"}
    Body = $body
    TimeoutSec = 600
}
Invoke-RestMethod @params | Select-Object -ExpandProperty output

错误处理

  • 401/认证失败: 
    API Key 认证失败,请检查密钥是否激活/过期?请在个人中心-企业信息 获取Api Key,或向售后人员咨询。
  • 超时:"还在分析中,稍后再问我结果或者再次请求。"
  • 其他错误:"请求返回错误 (code={code}),请检查API Key权限、账号配额或联系客服"

示例

完整输入输出示例请看 references/example.md

Comments

Loading comments...