reMarkable Tablet Sync
Analysis
The skill is purpose-aligned, but it deserves review because it uses a persistent reMarkable cloud token, can bulk transfer or upload tablet content, and may store private journal contents in agent memory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
# Bulk upload rmapi mput ./local-folder/ "Remote Folder/" # Create folder on tablet rmapi mkdir "New Folder"
The skill documents raw cloud-sync commands that can bulk upload local content and mutate the tablet account, but the artifact does not require review or confirmation before these actions.
curl -L https://github.com/ddvk/rmapi/releases/latest/download/rmapi-linux-amd64 -o ~/bin/rmapi chmod +x ~/bin/rmapi
The setup instructs users to download and execute the latest external binary rather than a pinned or verified release; this is user-directed and purpose-aligned but still a provenance risk.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Token saved to `~/.rmapi` — future runs are automatic
This shows the skill relies on a persistent reMarkable Cloud session/profile; after one-time login, later rmapi commands can act on the tablet account without another authentication prompt.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
**Journal entries** — Fetch handwritten thoughts → interpret → append to memory/journal
The workflow contemplates converting private handwritten journal content into persistent memory/journal state, without retention, deletion, consent, or reuse boundaries.