flomo-sync
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—back up flomo notes to local Markdown—but it handles a flomo access token and private memo/attachment data.
Use this only with a token you are comfortable granting for flomo export, keep the token in .flomo.config rather than chat, run it with an explicit absolute --dir pointing to a private folder, and protect the exported Markdown and attachments from git, cloud sync, or shared access unless that is intended.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process using this token can access and export the user's flomo memo data.
The skill requires a flomo access token, which grants account access needed to retrieve the user's memos. The documentation advises keeping it out of chat, which is appropriate.
flomo token(来自项目主路径下 `.flomo.config`,避免在对话中明文暴露)
Store the token only in the intended local .flomo.config file, do not paste it into chat, and rotate the token if it may have been exposed.
Running the sync can create local copies of attachments and consume local disk/network resources.
The script downloads attachment URLs and writes them to local files. This is expected for a backup tool, but it is still a network-and-file-write capability.
resp = requests.get(url, timeout=30, stream=True) ... with open(dest_path, "wb") as f:
Use a private, scoped output directory and use --no-download if you do not want attachments copied locally.
Dependency versions may vary, and installing from an untrusted package source could introduce unrelated risk.
The setup asks the user to install unpinned Python packages manually. This is common and purpose-aligned, but package provenance and versions are left to the user's environment.
pip install requests markdownify
Install from a trusted Python package index or pin dependency versions in your own environment if reproducibility matters.
Private notes may become visible through the filesystem, search indexes, backups, cloud sync, or version control if the output directory is shared.
The export stores private memo content and even content-derived snippets/tags in local Markdown files and filenames, making the backup easy to find or ingest later.
每条 memo 生成独立 `.md` 文件,命名格式为 `{日期}_{标签}_{内容前6字}_{slug}.md`Write exports to a private directory, consider adding the output path to .gitignore, and avoid placing the backup in shared or automatically synced folders unless intended.