ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appflowy Skill

v0.1.0

AppFlowy Cloud/GoTrue API 的认证与调用流程(获取 token、workspace/文档/数据库/搜索等)。在本仓库用 Python 编写或调试 AppFlowy API 客户端、脚本、自动化或排查接口问题时使用。

0· 286·0 current·0 all-time
by@balonegit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim AppFlowy API automation and the repository contains Python/Node client code, helper scripts, API references, and templates that match that purpose. The included scripts implement token retrieval, workspace/database/document operations and template application — all coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent/user to supply base/gotrue URLs and credentials (email/password or token) and to run the included scripts. The runtime instructions do not ask the agent to read unrelated system files or exfiltrate data to third-party endpoints; .env is only read when explicitly passed via --env.
Install Mechanism
There is no install spec (instruction-only from registry), and all code is bundled in the skill. No downloads or remote install URLs are present in the manifest. The repo contains a package.json and some .mjs helpers but there is no automatic installer declared.
Credentials
Registry metadata lists no required env vars, but the code legitimately supports and reads AppFlowy-related env vars (APPFLOWY_BASE_URL, API_EXTERNAL_URL / APPFLOWY_GOTRUE_BASE_URL, APPFLOWY_CLIENT_VERSION, APPFLOWY_DEVICE_ID) and optional .env/config files. This is proportionate to the skill's purpose, but the registry metadata could have declared these optional envs to be more explicit.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and does not claim persistent/system-wide privileges. It runs as invoked and uses local scripts and network calls to user-specified AppFlowy endpoints.
Assessment
This skill appears to be a normal client/tooling bundle for self-hosted AppFlowy. Before installing or running it: 1) only provide your AppFlowy base/gotrue URLs and credentials if you trust the skill source; credentials (email/password or tokens) are required to operate against your instance. 2) The repo contains Node (.mjs) helpers and a package.json — inspect dependencies in package.json and avoid running untrusted node scripts without reviewing them. 3) The provided config.example shows an internal IP (10.60.0.189) as an example; verify you point the tool at your own AppFlowy endpoints. 4) If you need extra assurance, run the scripts in a sandboxed environment or review doc_grid_lib.py and the collab JS helpers to confirm they only operate on data passed to them and do not contact unexpected external endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dz4zz3hbk53y0d9g20b5cvx824r0r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments