FadNote
PassAudited by ClawScan on May 10, 2026.
Overview
FadNote does what it claims: it locally encrypts user-provided text, uploads the encrypted note to a configured FadNote server, and returns a one-time share link.
This skill appears safe for its stated purpose, but only use it with a FadNote server you trust and share the generated URL carefully because the link contains the decryption key.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The server receives encrypted note data and metadata, and anyone who gets the final URL including the fragment key can read the note once.
The skill uploads the locally encrypted note blob to a configured external FadNote endpoint. This is purpose-aligned and the code keeps the decryption key out of the POST body, but sensitive user content still depends on correct endpoint and link handling.
const FADNOTE_URL = process.env.FADNOTE_URL || 'https://fadnote.com'; ... await fetch(`${FADNOTE_URL}/n`, { method: 'POST', ... body: blob });Use a trusted FADNOTE_URL, verify the recipient before sharing the generated link, and treat the full URL as sensitive.
A secret could be exposed locally if it is placed directly in a command line, copied from the clipboard, or included in a file without review.
The documentation shows passing secrets, files, and clipboard contents into the CLI. That is expected for this tool, but users should notice that local command invocations, agent transcripts, shell history, or selected files may expose more than intended before encryption/upload.
[runs: echo "sk-abc123xyz" | fadnote] ... cat file.txt | fadnote ... pbpaste | fadnote
Prefer safe stdin or agent-managed secret input where possible, and review file or clipboard contents before creating a note.