← Back to Skills Marketplace
p697

YouMind

by Cavano · GitHub ↗ · v2.0.1
cross-platform ⚠ suspicious
942
Downloads
5
Stars
2
Active Installs
6
Versions
Install in OpenClaw
/install youmind
Description
Use this skill when users need Youmind board operations via API (list/find/create boards, add links/files, chat, generate image/slides/docs, extract artifact...
Usage Guidance
This skill is functionally consistent with its Youmind API claims, but it has two noteworthy surprises: (1) importing or running its Python scripts will auto-create a .venv, pip-install dependencies, and run 'patchright install chrome', which downloads/installs a browser binary and any pip packages; (2) it reads and stores Youmind session cookies (via CDP or state.json) under data/, which are sensitive account credentials. Before installing or running: 1) Review scripts/__init__.py and remove or modify the auto-install behavior if you don't want automatic network installs. 2) Run the skill in an isolated environment (container/VM) or sandbox. 3) Use a dedicated Youmind account (not your primary/org account) for automation. 4) Inspect data/ after use and securely delete saved cookies if desired. 5) If you cannot audit or accept the automatic Chrome/download behavior, do not run the package on a high-privilege machine or network.
Capability Analysis
Type: OpenClaw Skill Name: youmind Version: 2.0.1 The skill is classified as suspicious due to the presence of high-risk capabilities that could be abused, primarily the ability to read and upload arbitrary local files via `scripts/material_manager.py` and `scripts/api_client.py`'s `upload_file` function. While intended for legitimate file uploads to the Youmind service, a malicious prompt could instruct an AI agent to upload sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). Additionally, `scripts/run.py` uses `subprocess.call` to execute other Python scripts, and `scripts/cdp_auth.py` uses `subprocess.run` to interact with the `openclaw` CLI. Although arguments are generally controlled, these patterns represent potential command injection vulnerabilities if an AI agent's input handling is insufficient. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized third-party domains, persistence mechanisms, or obfuscated payloads designed for self-exploitation.
Capability Assessment
Purpose & Capability
The code implements board, material, chat, upload, and artifact extraction APIs that match the skill description. Authentication is implemented via browser CDP cookies or a saved state.json as described. However, the package also bundles browser automation utilities and an automatic environment/bootstrap step that installs dependencies and a Chrome binary (via patchright), which is more than a minimal API client would normally require.
Instruction Scope
SKILL.md restricts browser usage to auth bootstrap/refresh and states business ops are API-only, which aligns with most code. But scripts/__init__.py executes on import and will automatically create a .venv, pip-install requirements, and invoke 'patchright install chrome' — this causes network downloads and local writes without an explicit install spec in the registry or a clear upfront warning in SKILL.md. That implicit automatic installation and browser install is out-of-band relative to the simple CLI examples and could be unexpected.
Install Mechanism
There is no declared install spec in the registry, yet on import scripts/__init__.py will create an isolated venv and run pip install -r requirements.txt and python -m patchright install chrome. This triggers network downloads and writes files/binaries to disk (including a Chrome binary via patchright). Implicit downloads of a browser binary and dependency installation raise a moderate-to-high risk surface compared with a truly 'instruction-only' skill.
Credentials
The skill requests no environment variables or external credentials in registry metadata. The code relies on Youmind cookies obtained either via a local OpenClaw browser/CDP (127.0.0.1:18800) or a local state.json file; these cookies are sensitive session credentials stored under data/ (auth_info.json / browser_state/state.json). That is proportionate to the stated purpose but requires caution because session cookies grant access to the user's Youmind account and are persisted locally.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a local .venv/ and data/ directory inside the skill tree and may cause a Chrome binary installation via patchright. Those are local persistence actions limited to the skill workspace, but they are notable and may be undesired in some environments.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install youmind
  3. After installation, invoke the skill by name or use /youmind
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.1
Set x-client-type header to youmind-skill for server-side identification
v1.3.0
feat: dynamic CDP cookie fetching from OpenClaw browser - auto-refresh auth without manual state.json re-export
v1.2.0
Add artifact extraction (image/slides/doc), API-only chat manager, material manager, Chinese README
v1.1.0
API-first architecture: migrate from browser automation to HTTP API. Browser kept only for auth bootstrap. New unified api_client, chat_manager, material_manager modules.
v1.0.1
Translated all Chinese text to English in SKILL.md for universal compatibility
v1.0.0
Universal AI agent skill for YouMind boards - supports OpenClaw, Claude Code, and Codex. Query boards, add materials, manage board library via browser automation.
Metadata
Slug youmind
Version 2.0.1
License
All-time Installs 2
Active Installs 2
Total Versions 6
Frequently Asked Questions

What is YouMind?

Use this skill when users need Youmind board operations via API (list/find/create boards, add links/files, chat, generate image/slides/docs, extract artifact... It is an AI Agent Skill for Claude Code / OpenClaw, with 942 downloads so far.

How do I install YouMind?

Run "/install youmind" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is YouMind free?

Yes, YouMind is completely free (open-source). You can download, install and use it at no cost.

Which platforms does YouMind support?

YouMind is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created YouMind?

It is built and maintained by Cavano (@p697); the current version is v2.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments