WeRead to flomo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The sync purpose is clear, but the skill asks for sensitive WeRead/flomo credentials without declaring them in metadata and without clearly explaining the WeRead cookie handling.
Review the script and credential handling before installing. Use a dry-run first, prefer today/date mode before all-mode, keep the flomo webhook and any WeRead cookie outside the skill directory, and do not provide a WeRead session cookie unless the maintainer clearly documents why it is required and how it is protected.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, these credentials could expose private reading data or allow unwanted note creation in flomo.
These are sensitive credentials: a flomo webhook can write to the user's account, and a WeRead cookie may represent an authenticated session. The supplied metadata says there are no required env vars or primary credential, and the workflow examples do not clearly show why the WeRead cookie is needed or how it is bounded.
Set `FLOMO_WEBHOOK` and `WEREAD_COOKIE` via environment variables or config files outside the skill package.
Declare the required credentials in metadata, explain exactly whether the WeRead cookie is needed, what it is used for, and avoid asking for it if the skill only processes already-exported Markdown files.
Running all-mode without review could create many notes in flomo.
This documented non-dry-run command can bulk-send all exported entries to flomo. That matches the skill's purpose, but it is a real external write action.
python3 ./scripts/weread_to_flomo.py --weread-dir /path/to/weread --mode all --flomo-webhook "$FLOMO_WEBHOOK"
Use --dry-run first, prefer today/date mode when uncertain, and require explicit user confirmation before a real or bulk sync.
A local file may reveal which highlights or reviews were synced and may affect future deduplication behavior.
The skill persists local deduplication state tied to reading annotations. This is scoped and purpose-aligned, but users should know a local state file is created.
State file defaults to `.weread-flomo-state.json` under the WeRead export directory.
Keep the export directory private, back up or delete the state file intentionally, and document how to reset sync state.
Users have less external context for trusting the included script.
The skill has limited provenance information. There is no remote install step and the static scan is clean, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Inspect the script before use, publish source/homepage information, and avoid entering sensitive cookies unless the credential handling is documented.