Remarkable
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is purpose-aligned for fetching reMarkable notes, but users should notice that it relies on a local reMarkable cloud token and may save private handwritten content into persistent memory or journal files.
Before installing, confirm you are comfortable giving the agent access to selected reMarkable Cloud content through rmapi. Use the dedicated folder, tag, or starred-item workflow rather than broad tablet access, review extracted text before saving it to memory or journals, and verify any local rmapi binary or fetch script you run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill should understand that it can access reMarkable Cloud content through the saved rmapi token after one-time authentication.
The skill relies on a persistent local reMarkable Cloud authentication token. This is expected for rmapi access, but it is sensitive account access and the registry metadata does not declare a primary credential or required config path.
Config: `~/.rmapi` (device token after auth) ... Token saved to `~/.rmapi` — future runs are automatic
Authenticate only if you want this agent to access selected reMarkable content, protect the `~/.rmapi` file, and revoke or remove the token if access is no longer desired.
Private journal entries or notes could become part of the agent's longer-lived context if saved to memory files.
The skill may convert handwritten notes into persistent memory or journal files. This is part of the stated workflow, but handwritten notes can contain private information and may be reused later by the agent.
OCR/interpret → append to `memory/YYYY-MM-DD.md` or a dedicated journal file
Use a dedicated shared folder or tag for content intended for the agent, review extracted text before saving it to memory, and avoid sharing sensitive notes unless persistent storage is intended.
The safety of actual fetching depends on the rmapi binary and any local helper script present on the user's machine.
The skill is instruction-only, but its documentation expects an external rmapi binary and references a local helper script that are not included in the artifact set. This is not suspicious by itself, but users should verify those local tools.
Tool: rmapi (ddvk fork) v0.0.32 ... Binary: `~/bin/rmapi` ... `~/clawd/scripts/remarkable-fetch.sh`
Install rmapi only from a trusted source, verify the helper script before running it, and keep the local fetch workflow limited to the intended shared folder, tag, or starred items.