Noverload - Knowledge Memory
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future or compromised npm package update could run locally under the user's account and access the configured Noverload token.
Activation runs the latest npm MCP package instead of a pinned, reviewed version; the package code is not present in the artifact set and will receive the token configuration.
mcp-server: command: npx args: ["-y", "noverload-mcp@latest"]
Pin `noverload-mcp` to a specific trusted version, verify the package provenance, and review it before giving it a real token.
Anyone or any code with this token may be able to access the user's Noverload data according to the token's privileges.
The skill requires a personal access token to connect the agent to the user's Noverload account; read-only mode reduces but does not remove account-access sensitivity.
NOVERLOAD_CONFIG: '{"accessToken":"${NOVERLOAD_TOKEN}","apiUrl":"https://www.noverload.com","readOnly":true}'Use a dedicated, revocable token with the narrowest available permissions and keep `readOnly:true` unless write access is required.
Private saved content may be surfaced in agent responses, and untrusted saved web content could influence the agent if treated as authoritative.
The skill intentionally retrieves persistent saved content into the agent's working context, including potentially private PDFs, posts, articles, and transcripts.
Your agent can now access your entire knowledge library. Search semantically, synthesize insights across sources...
Only connect libraries you are comfortable exposing to the agent, and treat retrieved content as reference material rather than instructions.
If write mode is enabled, the agent could change library organization or mark tasks complete when the user did not intend that.
The skill documents optional mutation authority over the user's Noverload library and action items.
With `readOnly: false`, your agent can: - Save new URLs to your library - Add tags to content - Mark items as swipe files - Complete action items
Leave the default read-only mode enabled unless needed, and require explicit user confirmation before save, tag, or completion actions.