ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yutori research

v1.0.1

Use Yutori’s Research API and Browsing API (cloud browser) to research topics, collect sources, and extract structured facts from the web. Use when the user asks to “research X”, “monitor/find papers”, or “navigate to a site and extract info” and you have access to YUTORI dev/prod endpoints via YUTORI_API_BASE and an API key in env (YUTORI_API_KEY or ~/.openclaw/openclaw.json env.YUTORI_API_KEY).

0· 2.1k·1 current·1 all-time
by@juanpin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description => calling Yutori Research and Browsing APIs; the included Node runner and SKILL.md implement exactly that. Required functionality (POST /v1/research/tasks and /v1/browsing/tasks) aligns with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to create and poll research/browsing tasks and to return structured results. The included script only performs API calls, polling, and prints results. However both SKILL.md and the script reference reading ~/.openclaw/openclaw.json as a fallback for the API key — this means the skill will read a local config file in the user's home directory, which can contain other environment settings or secrets.
Install Mechanism
No install spec; this is an instruction-only skill with a small runner script bundled. No downloads, no archive extraction, and no package installs — low install risk.
!
Credentials
SKILL.md and the script require a YUTORI_API_KEY and suggest a YUTORI_API_BASE, but the registry metadata lists no required env vars or primary credential. That mismatch is an incoherence. The script will read the file ~/.openclaw/openclaw.json to extract env.YUTORI_API_KEY as a fallback — reading that file may expose other saved env values if the script is modified or extended.
Persistence & Privilege
always: false and no install hooks. The skill does not request persistent system presence or modify other skills' configs. It runs network calls to the declared API base (default dev/prod yutori endpoints).
What to consider before installing
This skill appears to do what it says (call Yutori research/browsing APIs), but be cautious before installing/using it: 1) The registry metadata does NOT declare the YUTORI_API_KEY requirement even though SKILL.md and the script use it — treat that as a packaging/information error and prefer to see the credential declared explicitly in the registry. 2) The bundled script will attempt to read ~/.openclaw/openclaw.json as a fallback to obtain the API key; review that file and the runner script before running to ensure you’re not unintentionally exposing other secrets. 3) Prefer setting YUTORI_API_KEY in a controlled environment variable rather than relying on a shared config file. 4) Verify the API key’s permissions (Research vs Browsing) and the intended API_BASE (dev vs prod) before use. If you do not trust the skill source, do not run the script or provide your API key until the registry metadata and SKILL.md are consistent and you have audited the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk973v689r9fxqh7kkepyh1j72s80brpn
2.1kdownloads
0stars
2versions
Updated 10h ago
v1.0.1
MIT-0
@juanpin
latest
Download

yutori-web-research

Use Yutori’s cloud agents for two things:

  1. Research (wide/deep web research + citations) via POST /v1/research/tasks
  2. Browsing (web navigation agent on a cloud browser) via POST /v1/browsing/tasks

This skill is for web tasks where a dedicated web agent is helpful (papers, competitors, product info, extracting lists from a site), and where OpenClaw’s local web_fetch or browser tool is not ideal.

Preconditions (auth + endpoint)

  • Requires YUTORI_API_KEY (preferred: provided by OpenClaw Gateway env; fallback: ~/.openclaw/openclaw.json at env.YUTORI_API_KEY).
  • Endpoint defaults to dev unless overridden:
    • Set YUTORI_API_BASE=https://api.dev.yutori.com (dev)
    • or YUTORI_API_BASE=https://api.yutori.com (prod)

If requests return 403 Forbidden, the key likely lacks access to the requested API product (Research/Browsing).

Bundled runner scripts

This skill expects a small Node runner script to exist (or be bundled alongside this skill):

  • yutori-research.mjs — create + poll a research task; prints pretty text output.

Recommended: bundle it under scripts/yutori-research.mjs in this skill folder.

Workflow: Research a topic (brief + reading list)

When the user asks for research (example: “RL papers in the last month”):

  1. Write a tight query prompt that requests:

    • 1-page brief (themes + trends)
    • curated reading list (10–15 items, each with title, 1–2 sentence summary, why it matters, and link)
    • Prefer primary sources (arXiv + publisher pages)

  2. Run the research task using the runner script (example):

cd /Users/juanpin/.openclaw/workspace
node yutori-research.mjs "Research reinforcement learning papers from the last 30 days. Output (1) a concise 1-page brief of themes/trends and (2) a curated list of 12 papers with title, 2-sentence summary, why it matters, and a link. Prefer arXiv + conference links."
  1. Return results to the user as clean bullets (not raw JSON), and include source URLs.

Workflow: Browse a site and extract info (e.g., employees list)

Use the Browsing API when the user asks:

  • “Navigate to <site> and list …”
  • “Fill a form / click through pages / collect items”

Create a browsing task (example curl):

curl --request POST \
  --url "$YUTORI_API_BASE/v1/browsing/tasks" \
  --header "x-api-key: $YUTORI_API_KEY" \
  --header "Content-Type: application/json" \
  --data '{
    "task": "Give me a list of all employees (names and titles) of Yutori.",
    "start_url": "https://yutori.com",
    "max_steps": 60
  }'

Poll until succeeded, then return a deduplicated list.

Output style

  • Prefer pretty text + bullets.
  • Include the key source URLs.
  • If the agent output contains HTML (e.g., <pre>...</pre>), strip it and return plain text.

Troubleshooting

  • 401 Missing API key header: ensure you are sending the correct header. Yutori uses x-api-key for most APIs.
  • 403 Forbidden: key doesn’t have access to that product in that environment.
  • Long-running tasks: share the view_url and optionally poll longer.

Comments

Loading comments...