ClawHub

Craft Notes

v1.0.0

Manage Craft notes, documents, and tasks via CLI. Use when the user asks to add notes, create documents, manage tasks, search their Craft documents, or work with daily notes. Craft is a note-taking app for macOS/iOS.

2· 2k·3 current·4 all-time
by@noah-ribaudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to manage Craft documents via a CLI which legitimately requires a Craft Connect URL/token. However the package declares no required environment variables or primary credential even though the SKILL.md instructs the user to set CRAFT_API_URL. That mismatch suggests metadata is incomplete or incorrect.
!
Instruction Scope
Runtime instructions tell the agent/user to copy scripts/craft to ~/bin/craft and to set CRAFT_API_URL. The instructions do not ask for unrelated system files, but they reference a script path (scripts/craft) that is not present in the bundle, and they rely on an environment variable not declared elsewhere.
!
Install Mechanism
The embedded metadata includes an install action that would copy a script into ~/bin (potentially adding an executable to the user's PATH). No install spec files are present in the bundle — the referenced scripts/craft file is missing. An install that writes/executes an unknown script is a risk; lack of the script here is an incoherence (either the skill was packaged incompletely or metadata is misleading).
!
Credentials
The SKILL.md explicitly requires CRAFT_API_URL (which contains access credentials to the user's Craft data) but the skill declares no required env vars or primary credential. Sensitive data is implied but not declared, which prevents automated reviewers from knowing the skill needs secrets.
Persistence & Privilege
The skill is not marked always:true and does not request elevated OS privileges. The only persistence implied is installing a script to ~/bin, which is a typical user-level modification but should be inspected before installing.
What to consider before installing
This skill looks like a normal Craft CLI wrapper but has packaging and metadata inconsistencies you should resolve before installing. Specifically: - The SKILL.md asks you to set CRAFT_API_URL (this is the Craft Connect link/token used to access your data), but the skill metadata does not declare that env var — treat that as a sensitive credential. Do not paste your link/token into anything you haven't reviewed. - The metadata references an install script at scripts/craft that is not included in the bundle. Ask the publisher for the script source or the full package. Do not install a script you haven't inspected; an executable placed in ~/bin runs with your user privileges and can access your files. - If you decide to proceed, request the install script content and review it to ensure it only calls the Craft API and does not exfiltrate other data. Prefer installing manually by following the SKILL.md steps rather than running an unattended installer. If you cannot obtain the missing script or a trustworthy source, treat this skill as untrusted. If the publisher provides the script, verify it only uses the declared CRAFT_API_URL and does not read other credentials or arbitrary files.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yqw04pbfr4nez7s3t0e1xn7zvm2h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments