Floreo
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before installing: Floreo is mostly purpose-aligned, but it documents persistent activity monitoring and external sync for sensitive life data while bundled privacy notes contradict those capabilities.
Install only if you want an autonomous life-logging system. Before enabling automation, confirm which directories, repositories, calendars, and services it may watch or sync; use least-privilege API keys; and make sure you know how to disable cron jobs, file watchers, and external integrations.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could believe the skill is fully offline/manual when other bundled documentation says it can monitor activity and connect to cloud services.
This privacy assurance conflicts with SKILL.md and clawhub.json, which advertise autonomous background activity detection and Notion/GitHub/Calendar sync. The contradiction could mislead users about whether the skill runs background monitoring or sends data to external services.
What This Skill Does NOT Do ... ❌ No background processes ... ❌ No external API calls ... ✅ 100% offline
Treat the current SKILL.md as the active behavior, and only enable watchers or integrations after confirming the exact data collected, destinations, and disable/removal steps.
If enabled, the skill may keep watching repositories, files, and calendars in the background.
The skill explicitly supports persistent autonomous monitoring and scheduled analysis. This is aligned with the autonomous journal purpose, but it can continue operating after setup and observe private activity.
Autonomous operation — Background processes watch for activities (git commits, file changes, calendar events) ... Shell script automation — Scheduled analysis runs via cron/heartbeat
Enable autonomous mode only for specific directories/accounts, review any cron or watcher setup, and keep a clear disable/uninstall procedure.
Tokens or API keys could grant access to external accounts if over-scoped or stored insecurely.
Optional Notion, GitHub, Calendar, and Slack integrations require service credentials. This is expected for sync features, but credentials are sensitive and the registry metadata declares no primary credential.
External: Configurable via API keys in ~/.openclaw/customers/.floreo-config/
Use least-privilege tokens, avoid broad account scopes, and do not place unrelated credentials in the Floreo config file.
Private life-logging data could leave local storage if integrations are enabled.
The skill can send or sync personal journal/activity data to external services. This is disclosed and purpose-aligned, but the data may include sensitive health, productivity, relationship, or calendar information.
Open connections — Optional integrations with external services (Notion, GitHub, Calendar APIs) ... Slack webhook for notifications
Keep external sync disabled unless needed, verify privacy tiers/export rules, and review what fields are sent to each service.
Users may have trouble determining which documentation accurately describes the installed skill.
The registry and _meta.json report version 0.2.1, while package.json reports 0.2.0 and the included release notes contain conflicting feature claims. This is a provenance/documentation consistency issue rather than proof of malicious behavior.
"version": "0.2.0"
Confirm the repository tag or commit for version 0.2.1 and prefer a single, current privacy/security statement.