Capacities
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this token could act against the user's Capacities account within the token's permissions.
The skill requires a Capacities API token, giving the agent delegated access to the user's Capacities account. This is expected for the stated integration.
`CAPACITIES_API_TOKEN`: Obtain from Settings > Capacities API in the desktop app.
Use a token intended for this integration, avoid sharing it, and revoke or rotate it if you stop using the skill.
If invoked with the wrong text or space, the agent may add unwanted notes or weblinks to Capacities.
The skill documents direct API write operations that can add content to daily notes. This matches the stated purpose but can persist changes in the user's account.
curl -X POST https://api.capacities.io/save-to-daily-note ... -d '{"spaceId": "$CAPACITIES_SPACE_ID", "mdText": "Your note here"}'Review the content and target space before saving, and set CAPACITIES_SPACE_ID explicitly if you use multiple spaces.