← Back to Skills Marketplace
1340
Downloads
0
Stars
1
Active Installs
7
Versions
Install in OpenClaw
/install openclaw-yatta-skill
Description
Personal productivity system for task and capacity management. Create and organize tasks with rich attributes (priority, effort, complexity, tags), track tim...
Usage Guidance
This skill appears to be what it says: a manual-only Yatta! API client that needs a single API key. Before installing: 1) Verify the registry/package.json metadata matches SKILL.md (ensure disable-model-invocation is set and the required env vars are declared). 2) Inspect the included scripts (scripts/verify-endpoint.sh and scripts/yatta-safe-api.sh) locally and run the verification script to confirm YATTA_API_URL is the official endpoint before exporting your key. 3) Store the YATTA_API_KEY in a secure vault or env var (do not commit it) and test actions on non-critical data first because keys have full account privileges. 4) If you rely on the skill via a published registry entry, confirm the registry now shows the correct required envs (the changelog says this was fixed).
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-yatta-skill
Version: 0.2.2
The skill demonstrates a strong stated commitment to security, explicitly documenting and fixing critical shell and JSON injection vulnerabilities (RCE risk) in previous versions, and setting `disable-model-invocation: true`. However, despite claims of replacing 'ALL unsafe curl examples', the 'Create Task from Email' example in `SKILL.md` and all `curl` examples in `API-REFERENCE.md` still use direct string interpolation for JSON payloads and URL path parameters, making them vulnerable to JSON and shell injection. This represents an RCE risk if these examples are used directly with unsanitized user input, classifying the skill as suspicious due to these unaddressed vulnerabilities in the documentation examples.
Capability Assessment
Purpose & Capability
The skill declares task/project/context/comment/calendar/capacity operations and only requests the YATTA_API_KEY (plus an optional YATTA_API_URL). Those credentials and the included curl/jq-based examples are proportionate to a REST API client for Yatta! — there are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md focuses on invoking the Yatta! API, documents which operations are destructive vs read-only, instructs users how to set env vars and to verify the endpoint, and provides safe jq-based patterns. It does not instruct the agent to read unrelated system files or exfiltrate data. The skill explicitly disables autonomous model invocation (manual-only).
Install Mechanism
There is no install spec (instruction-only), which minimizes install risk. Two helper shell scripts are included (verify-endpoint.sh and yatta-safe-api.sh); they are documented as optional and appear to perform read-only verification and safe request construction. Users should still inspect these scripts before running them, but their presence is reasonable and expected for this purpose.
Credentials
Declared environment requirements are limited to YATTA_API_KEY and optionally YATTA_API_URL; the docs explicitly warn the key grants full account access and recommend secure storage and rotation. The requested vars align with the skill's destructive capabilities and are not excessive.
Persistence & Privilege
The skill declares and documents disable-model-invocation (manual-only) to avoid autonomous destructive actions. always:true is not set. Included scripts do not create persistent privileged state. Overall persistence/privilege requests are appropriate for a user-driven integration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-yatta-skill - After installation, invoke the skill by name or use
/openclaw-yatta-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.2
Registry metadata sync: Add requires.env, requires.anyBins, and primaryEnv to package.json. Fixes 'Required env vars: none' display issue. Expected ClawHub rating: BENIGN.
v0.2.1
Metadata fix: Add top-level disable-model-invocation field, declare optional verification tools (openssl, dig), update description to document v0.2.0 security fixes. VirusTotal: BENIGN (confirmed). Expected ClawHub: BENIGN.
v0.2.0
Security fixes for all VirusTotal findings: Eliminated RCE vulnerability, added endpoint verification, fixed metadata inconsistency. All safe jq patterns, comprehensive security documentation, verification tools included.
v0.1.3
Enhanced skill description with comprehensive feature coverage. Now highlights core Yatta! functionality including task management with rich attributes, capacity planning to prevent overcommitment, time tracking and streaks, Eisenhower Matrix prioritization, calendar integration, delegation management, AI-powered insights, batch operations, and multi-project workflows. No code changes - description improvements only for better discoverability on ClawdHub.
v0.1.2
Add requires.env and primaryEnv to metadata for ClawHub evaluator compatibility. Aligns with OpenClaw security team requirements.
v0.1.1
Security improvements: Added comprehensive security controls including disable-model-invocation flag, capability declarations, credential documentation, and complete API operation reference (36 operations documented). Addresses all ClawdHub security best practices.
v0.1.0
Initial release of the Yatta! skill for OpenClaw.
- Manage Yatta! tasks, projects, and contexts via API with bash and curl/jq.
- Includes setup instructions and full environment variable configuration for API access.
- Supports listing, filtering, creating, updating, and archiving tasks with numerous query options.
- Provides API examples for managing projects and assigning contexts.
- Documents all endpoints and advanced queries with ready-to-run curl commands.
Metadata
Frequently Asked Questions
What is Yatta! - Task & Capacity Management?
Personal productivity system for task and capacity management. Create and organize tasks with rich attributes (priority, effort, complexity, tags), track tim... It is an AI Agent Skill for Claude Code / OpenClaw, with 1340 downloads so far.
How do I install Yatta! - Task & Capacity Management?
Run "/install openclaw-yatta-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Yatta! - Task & Capacity Management free?
Yes, Yatta! - Task & Capacity Management is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Yatta! - Task & Capacity Management support?
Yatta! - Task & Capacity Management is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Yatta! - Task & Capacity Management?
It is built and maintained by Giddy (@chrisagiddings); the current version is v0.2.2.
More Skills