Back to skill
Skillv1.0.0
VirusTotal security
flomo-sync · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- 673fe46e2cae6816c4b36834b3d86fabe86a551d232efad63aec957349e59c11
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: flomo-sync Version: 1.0.0 The skill bundle is classified as suspicious due to potential arbitrary file write vulnerabilities. While the `SKILL.md` explicitly instructs the AI agent to use an absolute path for the `--dir` argument, and the `scripts/flomo-sync.py` script enforces this validation when `--dir` is provided, the script defaults to writing output files to `Path.cwd().resolve()` if the `--dir` argument is entirely omitted. This fallback could lead to unintended file writes in an arbitrary location if the agent fails to provide the argument or is prompted to omit it. Additionally, the script downloads attachments from external URLs provided by the Flomo API, saving them to a subdirectory within the output directory. While the script does not execute these downloaded files, a compromised Flomo API could serve malicious files, posing a risk if a user were to manually open them later. These are vulnerabilities rather than clear malicious intent, as the script attempts to guide towards secure usage.
- External report
- View on VirusTotal