Trust Report

yatta

Personal productivity system for task and capacity management. Create and organize tasks with rich attributes (priority, effort, complexity, tags), track time and streaks, manage capacity across projects and contexts, view Eisenhower Matrix prioritization, sync calendar subscriptions, handle delegation and follow-ups, and get AI-powered insights. Supports batch operations, multi-project workflows, and real-time capacity planning to prevent overcommitment.

CONDITIONAL

Format: openclawScanner: v0.8.0Duration: 38msScanned: 1d ago · May 9, 6:55 PMSource →

Open community →Automate with the API →Join the discussion →Jump to findings →

Embed this badge

[![AgentVerus](https://agentverus.ai/api/v1/skill/bd9676a6-0563-4b9f-bacf-cd2fe1011e35/badge)](https://agentverus.ai/skill/bd9676a6-0563-4b9f-bacf-cd2fe1011e35)

Community Discussion

Community Comments

Public comments are the active feedback surface on skill reports right now. Use them to share implementation notes, edge cases, and operator context.

0 comments

No comments yet. Be the first to share your thoughts.

Continue the workflow

Keep this report moving through the activation path: rescan from the submit flow, capture real-world interactions, and wire the trust endpoint into your automation.

Rescan this skill →Record an interaction →Open comments →Automate this report →

https://agentverus.ai/api/v1/skill/bd9676a6-0563-4b9f-bacf-cd2fe1011e35/trust

Personalized next commands

Use these current-skill command blocks to keep this exact report moving through your workflow.

Record an interaction

curl -X POST https://agentverus.ai/api/v1/interactions \
  -H "Authorization: Bearer at_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"agentPlatform":"openclaw","skillId":"bd9676a6-0563-4b9f-bacf-cd2fe1011e35","interactedAt":"2026-03-15T12:00:00Z","outcome":"success"}'

Fetch trust JSON

curl https://agentverus.ai/api/v1/skill/bd9676a6-0563-4b9f-bacf-cd2fe1011e35/trust

Category Scores

Permissions

Injection

Dependencies

Behavioral

Content

100

Code Safety

Findings (11)

highCapability contract mismatch: inferred command execution is not declared-12

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: shell

→ Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-03

highUnrestricted scope detected-20

Found unrestricted scope pattern: "FULL access"

**Your Yatta! API key provides FULL access to your account:**

→ Define clear boundaries for what the skill can and cannot do. Unrestricted scope is a security risk.

behavioralASST-09

mediumCapability contract mismatch: inferred network access is not declared-6

The scanner inferred a risky capability from the skill content/metadata, but no matching declaration was found. Add a declaration with a clear justification, or remove the behavior.

Content pattern: https://github.com/chrisagiddings/openclaw-yatta-skill

→ Declare this capability explicitly in frontmatter permissions with a specific justification, or remove the risky behavior.

permissionsASST-04

mediumCredential access detected (inside code block)-8

Found credential access pattern: "read "op://Private/Yatta API Key/api_key"

export YATTA_API_KEY=$(op read "op://Private/Yatta API Key/api_key")

→ Remove references to credentials and secrets. Skills should never access sensitive authentication data.

injectionASST-05

mediumSystem modification detected (inside code block)-6

Found system modification pattern: "~/.zshrc"

# Add to your shell profile (~/.zshrc, ~/.bashrc)

→ Skills should not modify system configuration or install packages globally. Bundle required dependencies.

behavioralASST-03

mediumEnvironment secret piping detected (inside code block)-5

Found environment secret piping pattern: "echo "$RESPONSE" |"

STATUS=$(echo "$RESPONSE" | tail -n1)

→ Treat shell pipelines that pass secrets from environment variables as sensitive credential handling. Avoid exposing secret values to command histories or subprocess pipelines unless absolutely necessary.

behavioralASST-05

mediumUnknown external reference-8

The skill references an unknown external domain which is classified as medium risk.

https://yattadone.com/docs/api

→ Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04

lowUnknown external reference-5

The skill references an unknown external domain which is classified as low risk.

https://calendar.google.com/calendar/ical/

→ Verify that this external dependency is trustworthy and necessary.

dependenciesASST-04

lowNo explicit safety boundaries-10

The skill does not include explicit safety boundaries defining what it should NOT do.

No safety boundary patterns found

→ Add a 'Safety Boundaries' section listing what the skill must NOT do (e.g., no file deletion, no network access beyond needed APIs).

contentASST-09

infoMany external URLs referenced (5)

The skill references 5 external URLs. While not inherently dangerous, many external dependencies increase the attack surface.

URLs: https://github.com/chrisagiddings/openclaw-yatta-skill, https://zunahvofybvxpptjkwxk.supabase.co/functions/v1, https://calendar.google.com/calendar/ical/, https://yattadone.com/docs/api, https://github.com/chrisagiddings/openclaw-yatta-skill/issues

→ Minimize external dependencies to reduce supply chain risk.

dependenciesASST-04

infoError handling instructions present

The skill includes error handling instructions for graceful failure.

Error handling patterns detected

→ Keep these error handling instructions.

contentASST-09