← 返回 Skills 市场
942
总下载
5
收藏
2
当前安装
6
版本数
在 OpenClaw 中安装
/install youmind
功能描述
Use this skill when users need Youmind board operations via API (list/find/create boards, add links/files, chat, generate image/slides/docs, extract artifact...
安全使用建议
This skill is functionally consistent with its Youmind API claims, but it has two noteworthy surprises: (1) importing or running its Python scripts will auto-create a .venv, pip-install dependencies, and run 'patchright install chrome', which downloads/installs a browser binary and any pip packages; (2) it reads and stores Youmind session cookies (via CDP or state.json) under data/, which are sensitive account credentials. Before installing or running: 1) Review scripts/__init__.py and remove or modify the auto-install behavior if you don't want automatic network installs. 2) Run the skill in an isolated environment (container/VM) or sandbox. 3) Use a dedicated Youmind account (not your primary/org account) for automation. 4) Inspect data/ after use and securely delete saved cookies if desired. 5) If you cannot audit or accept the automatic Chrome/download behavior, do not run the package on a high-privilege machine or network.
功能分析
Type: OpenClaw Skill
Name: youmind
Version: 2.0.1
The skill is classified as suspicious due to the presence of high-risk capabilities that could be abused, primarily the ability to read and upload arbitrary local files via `scripts/material_manager.py` and `scripts/api_client.py`'s `upload_file` function. While intended for legitimate file uploads to the Youmind service, a malicious prompt could instruct an AI agent to upload sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). Additionally, `scripts/run.py` uses `subprocess.call` to execute other Python scripts, and `scripts/cdp_auth.py` uses `subprocess.run` to interact with the `openclaw` CLI. Although arguments are generally controlled, these patterns represent potential command injection vulnerabilities if an AI agent's input handling is insufficient. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized third-party domains, persistence mechanisms, or obfuscated payloads designed for self-exploitation.
能力评估
Purpose & Capability
The code implements board, material, chat, upload, and artifact extraction APIs that match the skill description. Authentication is implemented via browser CDP cookies or a saved state.json as described. However, the package also bundles browser automation utilities and an automatic environment/bootstrap step that installs dependencies and a Chrome binary (via patchright), which is more than a minimal API client would normally require.
Instruction Scope
SKILL.md restricts browser usage to auth bootstrap/refresh and states business ops are API-only, which aligns with most code. But scripts/__init__.py executes on import and will automatically create a .venv, pip-install requirements, and invoke 'patchright install chrome' — this causes network downloads and local writes without an explicit install spec in the registry or a clear upfront warning in SKILL.md. That implicit automatic installation and browser install is out-of-band relative to the simple CLI examples and could be unexpected.
Install Mechanism
There is no declared install spec in the registry, yet on import scripts/__init__.py will create an isolated venv and run pip install -r requirements.txt and python -m patchright install chrome. This triggers network downloads and writes files/binaries to disk (including a Chrome binary via patchright). Implicit downloads of a browser binary and dependency installation raise a moderate-to-high risk surface compared with a truly 'instruction-only' skill.
Credentials
The skill requests no environment variables or external credentials in registry metadata. The code relies on Youmind cookies obtained either via a local OpenClaw browser/CDP (127.0.0.1:18800) or a local state.json file; these cookies are sensitive session credentials stored under data/ (auth_info.json / browser_state/state.json). That is proportionate to the stated purpose but requires caution because session cookies grant access to the user's Youmind account and are persisted locally.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a local .venv/ and data/ directory inside the skill tree and may cause a Chrome binary installation via patchright. Those are local persistence actions limited to the skill workspace, but they are notable and may be undesired in some environments.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install youmind - 安装完成后,直接呼叫该 Skill 的名称或使用
/youmind触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.1
Set x-client-type header to youmind-skill for server-side identification
v1.3.0
feat: dynamic CDP cookie fetching from OpenClaw browser - auto-refresh auth without manual state.json re-export
v1.2.0
Add artifact extraction (image/slides/doc), API-only chat manager, material manager, Chinese README
v1.1.0
API-first architecture: migrate from browser automation to HTTP API. Browser kept only for auth bootstrap. New unified api_client, chat_manager, material_manager modules.
v1.0.1
Translated all Chinese text to English in SKILL.md for universal compatibility
v1.0.0
Universal AI agent skill for YouMind boards - supports OpenClaw, Claude Code, and Codex. Query boards, add materials, manage board library via browser automation.
元数据
常见问题
YouMind 是什么?
Use this skill when users need Youmind board operations via API (list/find/create boards, add links/files, chat, generate image/slides/docs, extract artifact... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 942 次。
如何安装 YouMind?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install youmind」即可一键安装,无需额外配置。
YouMind 是免费的吗?
是的,YouMind 完全免费(开源免费),可自由下载、安装和使用。
YouMind 支持哪些平台?
YouMind 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 YouMind?
由 Cavano(@p697)开发并维护,当前版本 v2.0.1。
推荐 Skills