flomo-add
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—add one Flomo memo via a webhook—but the webhook URL is a sensitive write credential and memo text is sent to that URL.
Use this skill only with a Flomo webhook URL you trust. Keep .flomo.config private, confirm the memo content before sending, and be careful with dry-run or terminal output if it may reveal the webhook URL or memo text.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the webhook URL may be able to add memos to the associated Flomo account.
The skill relies on a Flomo webhook URL, which functions like a write credential for adding memos. This matches the stated purpose, but it is sensitive and should be protected.
必须在“当前项目主路径”下存在 `.flomo.config`,并且包含 `url=<flomo webhook url>` ... 该 URL 需在 flomo 的「扩展中心 & API」中生成并妥善保管。
Store .flomo.config only in trusted project folders, avoid sharing the webhook URL, and rotate the webhook if it is exposed.
If the configured or overridden URL is wrong, private memo text could be sent to the wrong endpoint.
The script sends the memo content to a URL from config or the --url override. This is expected for webhook posting, but an unintended URL would receive the memo content.
parser.add_argument("--url", help="临时覆盖配置中的 webhook URL") ... response = requests.post(url, json=payload, headers=headers, timeout=15)Verify the Flomo webhook URL before sending, and use the --url override only when you intentionally want to change the destination.