WeRead to flomo
v1.0.1Sync WeRead (微信读书) highlights and notes into flomo with incremental deduplication and configurable sync scope. Use when the user wants to export or sync WeRe...
⭐ 0· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The script and SKILL.md implement WeRead -> flomo syncing as described: parsing local Markdown exports, building content, POSTing to a flomo webhook, and tracking sent entries. Minor mismatch: SKILL.md suggests setting WEREAD_COOKIE, but the included script does not use any cookie — likely the cookie is needed outside the skill when producing WeRead Markdown exports, not for this script itself.
Instruction Scope
Runtime instructions are narrowly scoped: they direct the agent/user to run the included script against a specified local directory of exported .md files and to provide a flomo webhook. The skill only reads files from the provided weread-dir and a per-directory state file; it does not instruct reading unrelated system files or secrets.
Install Mechanism
There is no install step (instruction-only with an included script). Nothing is downloaded or written outside the user's explicit weread-dir/state file. This is the lowest-risk install posture.
Credentials
The registry metadata lists no required env vars, but SKILL.md advises setting FLOMO_WEBHOOK (and mentions WEREAD_COOKIE). The script accepts the flomo webhook as an argument and will POST content to whichever URL is provided — this is expected and proportionate. The webhook is a sensitive secret (it can accept arbitrary notes), so the skill's need for that secret is reasonable but should be treated carefully. The advertised WEREAD_COOKIE is not used by the script and therefore appears unnecessary here.
Persistence & Privilege
The script writes a local state file (.weread-flomo-state.json) inside the provided weread export directory to track sent items. The skill does not request persistent platform-wide privileges, does not set always:true, and does not modify other skill configs.
Assessment
This skill appears to do what it claims: read local WeRead-exported Markdown files, POST entries to a flomo webhook you supply, and record which items were sent in a state file under the export directory. Before using it: (1) review the script yourself (it's included) to confirm expected behavior; (2) keep your FLOMO_WEBHOOK secret and supply it via an environment variable or CLI argument as suggested — the script will send content to that URL; (3) run --dry-run first to preview what would be sent; (4) be aware the script creates/updates .weread-flomo-state.json in the export directory; (5) the SKILL.md mentions WEREAD_COOKIE but the script doesn't use it — that cookie may only be relevant for producing the Markdown export outside this tool; (6) avoid putting webhook URLs or cookies into the skill directory or any public repo. If you want higher assurance, run the script in a controlled environment and confirm that the webhook endpoint belongs to flomo (or another trusted destination) before sending real data.Like a lobster shell, security has layers — review code before you run it.
latestvk97a3vxcp3w2df53x9kdcpfjf183nh55
License
MIT-0
Free to use, modify, and redistribute. No attribution required.