Alexandrie
v1.0.0CRUD operations for Alexandrie, a self-hosted Markdown note-taking app. Create, read, update, delete and search notes via REST API.
⭐ 2· 2.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (CRUD for Alexandrie) align with the included alexandrie.sh script and the SKILL.md API endpoints. However, the skill metadata declares no required environment variables or config paths while the script clearly depends on a password stored at /home/eth3rnit3/clawd/.env and a specific username; that mismatch is unexpected for a general-purpose skill.
Instruction Scope
The runtime instructions and script instruct the agent to source /home/eth3rnit3/clawd/.env for ALEXANDRIE_PASSWORD and to read/write /tmp files (/tmp/alexandrie_cookies.txt, /tmp/alexandrie_user_id). The SKILL.md and registry metadata do not declare those config paths or the required secret. The script only contacts the declared API domain and does not exfiltrate to other endpoints, but reading a user-specific .env is scope creep relative to the metadata.
Install Mechanism
There is no install spec (instruction-only plus a shell script). That minimizes install-time risk because nothing arbitrary is being downloaded or extracted during install.
Credentials
The skill needs a password (ALEXANDRIE_PASSWORD) but requires no env vars in its metadata; instead it sources a hardcoded /home/eth3rnit3/clawd/.env path. It also implicitly requires curl and jq on PATH, but the required binaries list is empty. Asking to read a user-specific .env (which may contain other secrets) is disproportionate and should be declared and justified.
Persistence & Privilege
The skill is not always:true and does not request persistent system-wide privileges. It writes only local temporary files (/tmp) and a user-specific token file, and does not attempt to modify other skills or global agent config.
What to consider before installing
This skill appears to be a straightforward CLI client for a self-hosted Alexandrie instance, but it has important inconsistencies you should address before installing: 1) The script expects ALEXANDRIE_PASSWORD to be stored in /home/eth3rnit3/clawd/.env (a user-specific path) even though the skill metadata declares no config paths or env vars — verify you are comfortable allowing the skill to source that file or change the skill to accept the password via an explicitly-declared environment variable. 2) The script uses curl and jq but the metadata does not declare these dependencies — ensure those binaries are available and come from trusted sources. 3) Confirm you trust the API endpoints (api-notes.eth3rnit3.org) and the skill author since there is no homepage or known source. If you need higher assurance, ask the publisher to (a) declare required env vars (ALEXANDRIE_PASSWORD) and config paths, (b) avoid hardcoded /home paths (use a configurable path or env var), and (c) provide a canonical source/homepage or signed release. If you install anyway, consider checking the /home/eth3rnit3/clawd/.env contents and rotating any secrets that were exposed during testing.Like a lobster shell, security has layers — review code before you run it.
latestvk9798hbzgcfbvq27bpdpqxtnzs803fzd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.