Appflowy Skill
Security checks across malware telemetry and agentic risk
Overview
This appears to be a real AppFlowy API helper, but it handles account passwords unsafely and examples point authentication at a hard-coded unencrypted IP address.
Review before installing or using. Replace the sample AppFlowy URLs with your own trusted HTTPS endpoints, avoid passing passwords on the command line, prefer tokens or a secret manager, and run mutating document/database commands only after confirming the target workspace and view IDs.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user's AppFlowy password could be visible to other local processes, shell history, terminal recording, or agent execution logs.
The primary documented login flow passes the user's AppFlowy account password through process argv, which can expose high-value credentials locally or in automation logs.
python skills/appflowy-api/scripts/get_token.py --email <email> --password <password>
Do not pass passwords as command-line arguments. Use an interactive prompt, a secret manager, a short-lived token, or a protected environment variable, and avoid logging commands containing credentials.
If used as-is, credentials and bearer tokens may be sent to the wrong host or over an unencrypted connection.
The reusable example configuration directs API calls and password-based GoTrue authentication to a hard-coded HTTP IP address rather than a user-supplied trusted HTTPS endpoint.
"base_url": "http://10.60.0.189", "gotrue_url": "http://10.60.0.189/gotrue"
Replace the example URL before use, prefer HTTPS, verify the AppFlowy and GoTrue hostnames, and avoid entering real credentials into a sample configuration pointed at an unknown IP.
Running the wrong command or using the wrong workspace/view IDs could modify live AppFlowy documents or database rows.
The skill clearly discloses that some workflows update AppFlowy grids in place; this is purpose-aligned but can affect live workspace data.
# 通用模板:按模板更新 Grid(默认就地修改)
Test on a non-production workspace first, confirm workspace/view/database IDs, keep backups where possible, and review template changes before applying them.