ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youdo Business

Work with the YouDo Business API. Use when asked to interact with YouDo Business to manage employees, projects, tasks, payments, webhooks, or generate signed...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 25 · 0 current installs · 0 all-time installs
by@thisisevgeniy
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the listed endpoints/auth method align with a YouDo Business API integration: employees, projects, tasks, payments, webhooks, and request signing are all coherent with the stated purpose.
Instruction Scope
SKILL.md clearly documents base URLs, endpoints, JWT usage, and a request-signing scheme (RS256, string-to-sign, headers). It does not instruct the agent to read unrelated files or system paths. However, it presumes access to signing keys/JWT tokens without specifying how those should be obtained or handled at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk or downloaded, which is the lowest install risk.
!
Credentials
The skill declares no required environment variables or primary credential, yet the documented workflow requires sensitive material (JWTs and an RS256 private key or equivalent) to sign tokens and requests. The absence of declared secret inputs or guidance on secure storage/access is a mismatch and reduces transparency about what the agent will need at runtime.
Persistence & Privilege
always:false and default invocation settings — the skill does not request elevated/persistent presence or make changes to other skills or global agent configuration.
What to consider before installing
This skill appears to be a straightforward API integration, but it omits how to provide and protect the sensitive signing material it requires. Before installing or invoking it: (1) Confirm where/how you'll supply JWTs and the RS256 private key (prefer platform secret storage or a vault; avoid pasting private keys into chat). (2) Ensure tokens are least-privilege and short-lived and that the agent/platform will not persist secrets improperly. (3) Verify webhook callback URLs and TLS certificate validation when subscribing. (4) Ask the skill maintainer (or review the runtime integration) to explicitly declare required credentials/env vars and to document secure key-handling — this transparency reduces risk. If you cannot guarantee secure key provisioning/storage, treat the skill as higher risk and do not provide private keys or long-lived credentials to the agent.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2026.3.13
Download zip
latestvk97aqyxmxvtnrfjczaqfp11csh830aj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

YouDo Business API Skill

This skill provides the knowledge and guidelines for interacting with the YouDo Business API.

Base URLs

  • Production: https://business-api.youdo.com/api/v1
  • Sandbox/Test: https://business-api.public-test.youdo.sg/api/v1
  • Swagger: https://business-api.youdo.com/api/doc/index.html

Authentication

All requests use JSON Web Token (JWT) signed with the RS256 asymmetric algorithm.

  • The JWT must be sent in the header: Authorization: Bearer <JWT_TOKEN>
  • Header: {"alg": "RS256", "typ": "JWT", "kid": "<Key ID>"}
  • Payload: {"iss": "<Issuer ID>", "cid": "<Company ID>"}

Request Signing

Certain methods (like /api/v1/Task/{taskId}/pay) require request signing. You must include the following headers:

  • Date: Current time, RFC 7231 (e.g., Tue, 19 Feb 2019 08:43:02 GMT)
  • Content-SHA256: SHA256 hex hash of the request body (empty string for GET).
  • Signature: RS256 signed hex string of the request string.

String to Sign format:

Uppercase(RequestMethod) + "\n"
RequestPath + "\n"
RequestQuery + "\n"  // Alphabetically sorted, URLEncoded
SignedRequestHeaders + "\n" // Alphabetically sorted, lowercased keys
SHA256Hex(RequestPayload)

Key Endpoints

Employees (Исполнители)

  • Create: POST /Employee
    • Body: phone, firstName, lastName, inn, projectId
  • Get Info: GET /Employee/{id}
  • Search: POST /Employe/search (Body: projectIds, employeeName, inns, phones, itemsPerPage, page)
  • Find by Phone: GET /Employe/byPhone/{phone}
  • Add to Project: POST /Employee/addToProject
  • Remove from Project: DELETE /Employee/{id}/deleteFromProject/{projectId}
  • Restart Binding: PUT /Employee/{id}/binding/restart

Projects (Проекты)

  • Get Projects: GET /Project/Projects

Tasks & Payments (Задания и выплаты)

  • Create Internal Task: POST /Task/internal
  • Create External Task: POST /Task/external
  • Get Task: GET /Task/{taskId}
  • Update Task: PUT /Task/{taskId}
  • Pay Task: POST /Task/{taskId}/pay (Requires request signing)
  • Resend Offer: PUT /Task/{taskId}/resendOffer

Documents (Документы)

  • Download Doc: GET /Documents/{documentId}
  • Download Cert: GET /Documents/{documentId}/certificate

Payments Report (Отчет агента)

  • List Payments: POST /Payments (Body: from, to, inn, taskIds, ids)

Framework Agreements (Рамочные соглашения)

  • Get Agreements: GET /FrameworkAgreements/employees/{employeeId}/projects/{projectId}
  • Create: POST /FrameworkAgreements
  • Stop: POST /FrameworkAgreements/{agreementId}/stop

Prepayment Invoices (Счета на предоплату)

  • Create: POST /prepaymentInvoices (Body: companyId, amount)
  • Get: GET /prepaymentInvoices/{id}

Balance (Баланс)

  • By Company: GET /Balance/byCompany?companyId={id}
  • By Project: GET /Balance/byProject?projectId={id}

Webhooks

  • Subscribe: POST /WebHook/subscribe (Body: type, url, headers)
  • Unsubscribe: DELETE /WebHook/{type}/unsubscribe

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…