Is juanpin/yutori-web-research safe?

https://github.com/openclaw/skills/tree/main/skills/juanpin/yutori-web-research

79
CAUTION

The yutori-web-research skill is a purpose-built API integration for Yutori's cloud research and browsing services with a clean SKILL.md containing no prompt injection, hidden instructions, or privilege escalation attempts. The primary risks are an unaudited bundled Node.js runner script whose source was not captured in evidence, and the inherent design choice to transmit all user research queries to an external third-party cloud API. Canary file accesses observed in monitoring logs are attributable to the Oathe framework's own pre/post-install baseline checks, not to the skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Bundled Node.js runner script content unauditable -25

The skill ships scripts/yutori-research.mjs as a required executable Node.js module. SKILL.md describes it as a simple Yutori API poller, but its actual source was not captured in the audit evidence. A malicious or compromised version of this file could read local environment variables, credential files, or system information and include them in API requests to Yutori's servers before the agent or user can inspect the outbound payload.

MEDIUM All user queries transmitted to external Yutori cloud service by design -20

Every research and web-browsing task created by this skill is POSTed to Yutori's API endpoints (api.dev.yutori.com or api.yutori.com). The task payload includes the full user query string. If a user includes sensitive business context, internal project names, or proprietary data in a research request, that content is sent to and processed by an external third-party service outside the user's control.

LOW Example command hardcodes skill author's personal directory path -10

SKILL.md includes a bash workflow example with 'cd /Users/juanpin/.openclaw/workspace' before calling node yutori-research.mjs. This path is specific to the skill author's macOS environment. An agent following this example literally on a different system would silently fail to cd or land in an unexpected directory. While not an injection attack, it is imprecise instruction that could confuse agent behavior.

LOW Reads local OpenClaw configuration file for API key -7

The skill reads ~/.openclaw/openclaw.json as a fallback source for YUTORI_API_KEY. This is the documented OpenClaw credential store and is expected behavior for platform-integrated skills. However, it constitutes a local file access for credential retrieval; if the runner script is tampered with, this access could be extended to read additional secrets from the same directory.

INFO Canary files accessed during pre/post monitoring checks, not by skill -12

inotify events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json were opened and read at 11:38:57 (audit timestamp 1771933137.709) — approximately 6 seconds before the git clone commenced at 1771933143.242 — and again at 1771933155.120 after the post-install scan. The timing is consistent with Oathe's monitoring framework establishing a pre-install baseline and conducting a post-install canary check, not with any file access initiated by the skill itself. All canary files were confirmed intact with no modifications.

INFO Clean sparse-checkout install from GitHub monorepo -7

Installation used git sparse-checkout to pull only the skills/juanpin/yutori-web-research subdirectory from the openclaw/skills GitHub monorepo. All network traffic during clone was to 140.82.121.3:443 (GitHub). No unexpected processes spawned, no filesystem writes outside the skill directory, and no new listening ports or persistent connections remained after installation.