← Back to Skills Marketplace
474
Downloads
1
Stars
0
Active Installs
8
Versions
Install in OpenClaw
/install yuboto-omni-api
Description
Implement, troubleshoot, and generate integrations for Yuboto Omni API (SMS/Viber/messaging endpoints, callbacks, lists/contacts/blacklist, cost/balance/acco...
Usage Guidance
This package appears internally consistent for integrating with Yuboto/Octapush. Before installing or running: 1) Only provide an API key issued by Yuboto/Octapush (OCTAPUSH_API_KEY); storing it via OpenClaw config is recommended over exporting it to your shell. 2) Be aware the CLI creates persistent state/log files under $XDG_STATE_HOME or ~/.local/state/openclaw/yuboto-omni-api — full message payload storage is off by default but can be enabled with YUBOTO_STORE_FULL_PAYLOAD. 3) The scripts contact api.yuboto.com (and refresh_swagger.py fetches the live swagger). If you will run poll-pending on a schedule, review poll_pending.sh and confirm the environment it runs under has only the intended API key and permissions. 4) If you plan to override YUBOTO_BASE_URL or provide callback URLs, verify those endpoints are trusted to avoid inadvertent data transmission. If you want higher assurance, inspect/run the scripts in a restricted environment (or review the bundled files) before giving the API key to the skill.
Capability Analysis
Type: OpenClaw Skill
Name: yuboto-omni-api
Version: 1.6.2
The skill demonstrates good security practices, such as requiring API keys via environment variables (OCTAPUSH_API_KEY), explicitly avoiding `.env` file sourcing in `scripts/poll_pending.sh`, and defaulting to privacy-preserving local state storage. However, it contains a regex injection vulnerability in `scripts/find_endpoints.py` where the search query is directly used in `re.compile()` without sanitization. Additionally, the `callback_url` parameter in `scripts/yuboto_cli.py` (passed to the external Yuboto API via `scripts/yuboto_client.py`) could be exploited for SSRF or webhook abuse if an AI agent is prompted to provide a malicious URL, as the skill does not validate this URL before passing it to the API. These are vulnerabilities that could be exploited through prompt injection against the agent, but do not indicate intentional malicious behavior by the skill developer.
Capability Assessment
Purpose & Capability
Name/description ask for Yuboto/Octapush API integration and the skill requires python3 plus OCTAPUSH_API_KEY — both expected and proportional. Declared binaries, env var names, and the provided client/CLI scripts directly implement the described functionality (balance, cost, send, DLR, history, poll).
Instruction Scope
SKILL.md instructs running the included Python scripts, consulting the bundled Swagger JSON, and storing the API key in OpenClaw or an env var. The runtime instructions and helper scripts only access the API host (https://api.yuboto.com by default), documented state/log dirs, and declared env vars. There is no instruction to read unrelated system files or secrets, and scripts explicitly avoid sourcing .env files.
Install Mechanism
There is no install script; the package is script-and-docs based and uses only Python standard library (urllib) and shell. No external download-of-code-from-arbitrary-URLs or package installs are performed by the skill itself.
Credentials
The only required credential is OCTAPUSH_API_KEY (primaryEnv). Optional env vars are documented and relate to runtime behavior (state/log dirs, test number, default sender, base URL, payload storage). No unrelated credentials are requested.
Persistence & Privilege
The skill persists runtime state and logs outside the skill directory by default (XDG_STATE_HOME or ~/.local/state/openclaw/yuboto-omni-api). Defaults are privacy-minimizing (full payload persistence is disabled by default), but the user can enable full payload storage via YUBOTO_STORE_FULL_PAYLOAD=true. The skill does not request always:true and does not modify other skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yuboto-omni-api - After installation, invoke the skill by name or use
/yuboto-omni-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.6.2
No functional or documentation changes; only metadata and comments related to helper scripts updated.
- Clarified that helper scripts use only Python standard library (e.g., `refresh_swagger.py` uses `urllib`).
- No impact on usage, features, or configuration.
- No code or command changes.
v1.6.0
**Adds explicit SMS encoding control and improves privacy defaults.**
- `send-sms` command now documents the `--sms-encoding auto` flag to detect Unicode/GSM text automatically.
- Details added for forcing `unicode` or `gsm` encoding as needed for different scripts (Greek, Arabic, etc.).
- Privacy: local state/log now stores only minimal metadata by default (disable full payload storage unless `YUBOTO_STORE_FULL_PAYLOAD=true`).
- Documentation clarifies that stored logs do not retain full payloads or recipient lists by default, enhancing privacy and compliance.
v1.5.2
yuboto-omni-api 1.5.2
- Updated documentation to clarify runtime data storage: state/log location now defaults outside the skill folder, following `$XDG_STATE_HOME/openclaw/yuboto-omni-api` or `~/.local/state/openclaw/yuboto-omni-api`.
- Added explanation for runtime state/log folder overrides (`YUBOTO_LOG_DIR` and `YUBOTO_STATE_DIR`).
- Included product info URL (`https://messaging.yuboto.com`) in documentation.
- No functional or code changes; documentation improvements only.
v1.3.1
**Changelog for yuboto-omni-api v1.3.1**
- Added OpenClaw-compatible metadata to SKILL.md, including required binaries and environment variables.
- Clarified that only the OCTAPUSH_API_KEY credential is required; `.env` is unsupported and `poll_pending.sh` now reads environment directly, not from `.env`.
- Enhanced safety defaults: `send-sms` now auto-batches (default batch size 200, cap 1000) and adds delay options; notes on default delays for bulk operations.
- Updated security and operational notes about sender ID approval, error handling for sender validation, and local log retention limits.
- Confirmed the skill remains library-free (uses Python standard library only); clarified sensitive data handling and best practices.
- No functional code changes; this is a documentation and metadata update only.
v1.3.0
- Clarified that the `OCTAPUSH_API_KEY` environment variable is required and must be set manually, as metadata may not declare it.
- Explained that `.env` files are no longer supported for credentials; use OpenClaw config or environment variables instead.
- Added section for optional environment variables (`TEST_PHONENUMBER`, `SMS_SENDER`, `YUBOTO_BASE_URL`) for testing and overrides.
- Updated instructions to emphasize OpenClaw config as the recommended setup for secure, centralized credential management.
- Improved warnings against storing unrelated secrets in `.env` and clarified credential handling best practices.
v1.2.0
- Added support for OpenClaw native credential management; API key can now be stored in `openclaw.json` for secure, centralized configuration.
- Updated setup instructions to include OpenClaw config as the recommended option.
- No code changes; documentation and configuration options improved for easier and safer credential handling.
v1.1.0
- Added guidance on required environment variables, including `OCTAPUSH_API_KEY` and optional `YUBOTO_BASE_URL`.
- Provided setup instructions for setting the API key via shell or `.env` file, with a security warning about `.env` usage.
- Noted that `poll_pending.sh` sources `.env` and explained best practices to avoid leaking unrelated secrets.
- Added `.env.example` file for easier environment setup.
- Included original API PDF in asset files and added state tracking JSON files.
- Removed obsolete reference file `references/kb_strategy.md`.
v1.0.0
Initial release of yuboto-omni-api skill.
- Provides tools and guidance for integrating with Yuboto Omni API (SMS, Viber, messaging endpoints, contacts, blacklist, cost, balance, and account methods).
- Documents workflow for identifying use cases, endpoints, and validating schemas using supplied Swagger and documentation references.
- Includes a command-line tool with commands for sending messages, checking balances, polling statuses, and more.
- Emphasizes best practices for authentication handling, error mapping, and operational security.
- Outlines clear output requirements for code and integration instructions.
Metadata
Frequently Asked Questions
What is Yuboto Omni API Assistant?
Implement, troubleshoot, and generate integrations for Yuboto Omni API (SMS/Viber/messaging endpoints, callbacks, lists/contacts/blacklist, cost/balance/acco... It is an AI Agent Skill for Claude Code / OpenClaw, with 474 downloads so far.
How do I install Yuboto Omni API Assistant?
Run "/install yuboto-omni-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Yuboto Omni API Assistant free?
Yes, Yuboto Omni API Assistant is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Yuboto Omni API Assistant support?
Yuboto Omni API Assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Yuboto Omni API Assistant?
It is built and maintained by dinaras (@dinaras); the current version is v1.6.2.
More Skills