ClawHub

flomo-sync

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward flomo backup tool that handles sensitive notes and tokens but does not show hidden or malicious behavior.

Install only if you intend to export your flomo notes locally. Run it with an explicit private absolute --dir, keep .flomo.config out of chat and version control, treat the token like a password, and use --no-download if you do not want attachment files copied to disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of a script that reads a local config file, writes Markdown and attachment files, and calls the flomo API, yet no permissions are declared. This creates a transparency and consent problem: an agent or user may invoke filesystem and network operations without an explicit permission boundary, increasing the chance of unintended data export, overwrite, or token exposure during execution.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The document says '--dir' is mandatory and must be an absolute path, but later admits the implementation falls back to the current working directory when '--dir' is omitted. That contradiction can cause output to be written into an unintended directory, which is risky for a sync tool that creates many files and downloads attachments by default.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The introductory description emphasizes backup/sync but does not clearly warn that running the skill will write many local files and download attachments by default. For an agent-operated skill, insufficient disclosure is dangerous because users may authorize it without understanding that local filesystem changes and potentially large data downloads will occur.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script explicitly instructs users to extract a live Bearer Authorization token from browser developer tools and provide it to the script, but it does not warn that this token is a sensitive credential equivalent to account access. In this skill context, the tool syncs all flomo memos, so mishandling the token could expose a user's full note history and attachments if the token is stored insecurely, logged, pasted into shell history, or reused elsewhere.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal