OpenClaw Flomo Skill
v1.0.0Read and write flomo memos on macOS. Use when user asks to fetch recent flomo notes, search memo text in local flomo cache, or create/write a new memo to flo...
⭐ 0· 344·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (read/write flomo memos on macOS) aligns with what the code and docs do: the script reads the local flomo config/IndexedDB and calls flomo APIs or incoming webhook URLs to read/write memos. The declared purpose justifies access to the config and flomo API.
Instruction Scope
SKILL.md instructs running the included Python script. The script reads local files (config.json, IndexedDB .ldb, renderer.log), extracts tokens/entries, and performs network calls to flomo endpoints. Reading the local flomo config and IndexedDB is necessary for the stated features, but these files contain sensitive tokens/webhook paths, so this is notable and should be expected by the user.
Install Mechanism
This is an instruction-only skill with a bundled script; there is no external download or install step. Nothing is being pulled from remote sources at install time.
Credentials
The registry metadata lists no required env vars, but README and the script allow/expect several optional env vars (FLOMO_CONFIG_PATH, FLOMO_ACCESS_TOKEN, FLOMO_API_BASE, etc.). The script will read ~/Library/.../config.json and IndexedDB to obtain access_token and webhook info — this is required for function but is sensitive access (it can expose your flomo access token/webhook). The code also invokes system binaries (curl, strings) though the registry did not declare these requirements.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and has no install that persists system-wide beyond being copied into the OpenClaw workspace. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
Assessment
This skill appears to do what it says: to work it reads your local flomo desktop data (config.json and IndexedDB) to obtain the access_token and to discover incoming webhook paths, and it calls flomo APIs/webhooks. That access is necessary for functionality but is sensitive: do not share your flomo config.json. Before installing, verify you trust the skill source and review scripts/flomo_tool.py yourself. Note the registry metadata does not declare required binaries (the script invokes curl and strings) or the optional env vars documented in README; ensure you are comfortable giving the script read access to ~/Library/Containers/com.flomoapp.m/... and network access to flomoapp.com. If you prefer tighter control, set FLOMO_ACCESS_TOKEN or FLOMO_CONFIG_PATH to a limited/throwaway token or run the script in a confined environment and inspect its output (it masks webhook URLs when printing).Like a lobster shell, security has layers — review code before you run it.
flomovk970g47p9bvszrp7630tbe5csh81xczklatestvk970g47p9bvszrp7630tbe5csh81xczknotesvk970g47p9bvszrp7630tbe5csh81xczkproductivityvk970g47p9bvszrp7630tbe5csh81xczk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.