Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
YouMind
v2.0.1Use this skill when users need Youmind board operations via API (list/find/create boards, add links/files, chat, generate image/slides/docs, extract artifact...
⭐ 5· 824·2 current·2 all-time
byCavano@p697
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements board, material, chat, upload, and artifact extraction APIs that match the skill description. Authentication is implemented via browser CDP cookies or a saved state.json as described. However, the package also bundles browser automation utilities and an automatic environment/bootstrap step that installs dependencies and a Chrome binary (via patchright), which is more than a minimal API client would normally require.
Instruction Scope
SKILL.md restricts browser usage to auth bootstrap/refresh and states business ops are API-only, which aligns with most code. But scripts/__init__.py executes on import and will automatically create a .venv, pip-install requirements, and invoke 'patchright install chrome' — this causes network downloads and local writes without an explicit install spec in the registry or a clear upfront warning in SKILL.md. That implicit automatic installation and browser install is out-of-band relative to the simple CLI examples and could be unexpected.
Install Mechanism
There is no declared install spec in the registry, yet on import scripts/__init__.py will create an isolated venv and run pip install -r requirements.txt and python -m patchright install chrome. This triggers network downloads and writes files/binaries to disk (including a Chrome binary via patchright). Implicit downloads of a browser binary and dependency installation raise a moderate-to-high risk surface compared with a truly 'instruction-only' skill.
Credentials
The skill requests no environment variables or external credentials in registry metadata. The code relies on Youmind cookies obtained either via a local OpenClaw browser/CDP (127.0.0.1:18800) or a local state.json file; these cookies are sensitive session credentials stored under data/ (auth_info.json / browser_state/state.json). That is proportionate to the stated purpose but requires caution because session cookies grant access to the user's Youmind account and are persisted locally.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a local .venv/ and data/ directory inside the skill tree and may cause a Chrome binary installation via patchright. Those are local persistence actions limited to the skill workspace, but they are notable and may be undesired in some environments.
What to consider before installing
This skill is functionally consistent with its Youmind API claims, but it has two noteworthy surprises: (1) importing or running its Python scripts will auto-create a .venv, pip-install dependencies, and run 'patchright install chrome', which downloads/installs a browser binary and any pip packages; (2) it reads and stores Youmind session cookies (via CDP or state.json) under data/, which are sensitive account credentials. Before installing or running: 1) Review scripts/__init__.py and remove or modify the auto-install behavior if you don't want automatic network installs. 2) Run the skill in an isolated environment (container/VM) or sandbox. 3) Use a dedicated Youmind account (not your primary/org account) for automation. 4) Inspect data/ after use and securely delete saved cookies if desired. 5) If you cannot audit or accept the automatic Chrome/download behavior, do not run the package on a high-privilege machine or network.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3yr7jbb3nzr4887xpwggc98260sh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.