Youdao Note Web
v1.0.0安全地操作用户的有道云笔记,支持读取、搜索、创建笔记。当用户要求操作有道云笔记时调用。
⭐ 1· 167·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description say it will read, search, list, and create Youdao notes. The package contains a Python script that calls note.youdao.com endpoints and asks for the browser Cookie via YOUDAO_COOKIE — this is expected and proportional.
Instruction Scope
SKILL.md explicitly requires the full browser Cookie in an environment variable (not in chat) and instructs the agent to perform searches, list directories, read single notes, or read all notes in a folder then produce an analysis report. Reading and analyzing an entire folder is within the skill's purpose but grants the agent broad access to potentially large/private data; consider requiring explicit user confirmation before bulk-read/analysis.
Install Mechanism
There is no install spec that downloads arbitrary code; included files are a Python script and a requirements.txt (requests, brotli). This is low risk and consistent with running the script locally after installing standard Python packages.
Credentials
The only required secret is the full Youdao browser cookie via YOUDAO_COOKIE. The code extracts specific session cookies (YNOTE_CSTK, YNOTE_LOGIN, YNOTE_SESS) which are necessary for web-authenticated calls — asking for the cookie is proportionate but sensitive.
Persistence & Privilege
Skill is not always-on and does not request elevated platform privileges. It does not modify other skills or system-wide settings and relies on runtime environment variable for auth.
Assessment
This skill appears to do exactly what it claims: talk to note.youdao.com using your browser session cookie. Before installing, consider: (1) YOUDAO_COOKIE contains sensitive session tokens — never paste it into chat and prefer storing it as a user-scoped environment variable; (2) the skill can read entire folders and will by design produce aggregated analyses, so only allow it to access folders you want processed and require explicit confirmation before bulk-reading; (3) run the Python script in a trusted environment after reviewing the youdao_api.py file yourself; (4) if you suspect the cookie has been exposed, log out of Youdao and rotate your session (re-login) to invalidate old cookies. If you want stricter control, modify the workflow so the agent asks the user to approve each note or batch before analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk977ttma5snc45k372qkcfnkh183jjyf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.