Youdo Business
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With valid company credentials, an agent using this skill could help create or update business records, initiate task payments, create invoices, or change webhook settings.
The skill documents high-impact mutating API operations, including payments, invoice creation, and webhook subscription. These are aligned with the stated YouDo Business API purpose, but they can change financial or business state.
**Pay Task**: `POST /Task/{taskId}/pay` (Requires request signing) ... **Create**: `POST /prepaymentInvoices` ... **Subscribe**: `POST /WebHook/subscribe`Require explicit user confirmation before any create, update, delete, payment, invoice, agreement, or webhook action; verify IDs, amounts, and callback URLs; use the sandbox endpoint first where possible.
If a token or signing key is over-scoped or mishandled, the agent could act with broad company privileges in YouDo Business.
The API requires bearer JWTs and signing material that represent company authority. This is expected for the integration, but those credentials can authorize sensitive account actions.
All requests use **JSON Web Token (JWT)** signed with the **RS256** asymmetric algorithm. - The JWT must be sent in the header: `Authorization: Bearer <JWT_TOKEN>`
Use least-privilege credentials, keep private keys out of chat history when possible, rotate credentials if exposed, and avoid giving production credentials unless the requested action truly requires them.
A misconfigured webhook could send business events to the wrong external endpoint or continue sending events after the immediate task is complete.
Webhook setup can send YouDo Business event data to a configured callback URL. The webhook capability is disclosed and purpose-aligned, but the artifact does not define data boundaries or destination validation.
**Subscribe**: `POST /WebHook/subscribe` (Body: `type`, `url`, `headers`)
Only subscribe to user-approved HTTPS callback URLs, confirm what event type will be sent, avoid unnecessary custom headers, and unsubscribe when the integration is no longer needed.