ClawHub

FadNote

v1.0.2

Create secure shareable self-destructing notes

1· 354·0 current·0 all-time
by@easyfloyd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (self-destructing notes) match the provided files and behavior: the CLI encrypts input client-side and posts it to FADNOTE_URL. Required binary (node) and a configurable endpoint (FADNOTE_URL) are appropriate for this purpose. Minor note: primaryEnv is set to a URL (not a secret), which is unusual but not harmful.
Instruction Scope
SKILL.md instructs the agent to run the fadnote CLI and only references the FADNOTE_URL env var and local stdin/cli usage. The runtime script only reads stdin/args, uses crypto, and POSTs the encrypted blob to the configured endpoint. There are no instructions to read unrelated files, other environment variables, or to exfiltrate raw plaintext to third parties.
Install Mechanism
No automated install/download is present (no install spec). The package provides a local CLI script and suggests manual installation or ClawHub install. This is low-risk compared with arbitrary remote downloads or extract operations.
Credentials
Only FADNOTE_URL is required; that is proportional for a service endpoint. It is labeled as the primary credential in metadata even though it is not a secret credential — this is odd but not dangerous. The skill does not request tokens, keys, passwords, or unrelated credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configurations, and has no special persistent privileges. It can be invoked autonomously (platform default), which is expected for a user-invocable skill.
Assessment
This skill appears to do what it claims: it encrypts your content locally and POSTs an encrypted blob to the configured FADNOTE_URL, with the decryption key placed in the URL fragment (not sent to the server). Before installing or using it: 1) Verify you trust the endpoint you set in FADNOTE_URL (the server will receive encrypted blobs and metadata like TTL and size). 2) If you rely on the claimed zero-knowledge model, review the publicly linked source (https://github.com/easyFloyd/fadnote) to confirm the implementation matches the SKILL.md. 3) Remember the decryption key is embedded in the shareable URL fragment — anyone with the full URL can decrypt the note. 4) If you plan to use automatic email delivery via another skill, be aware the skill will send the decryption URL through that channel. These are privacy/operational considerations, not evidence of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2a250h1ytyg091h5njsph9827snn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔥 Clawdis
Binsnode
EnvFADNOTE_URL
Primary envFADNOTE_URL

Comments