ClawHub

flomo-archive

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: fetches a specified month of Flomo notes through the local mcporter setup, evaluates them, and saves the export locally, but users should treat the saved file as private data.

Install only if you want an agent to access the Flomo account configured in local mcporter and export a month of notes. After use, review, move, or delete /tmp/flomo_YYYY_MM.json, especially on shared machines, because it can contain full private note content and metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd_parts.append(f'{k}="{v}"')
    cmd = " ".join(cmd_parts)
    
    result = subprocess.run(
        cmd, 
        capture_output=True, 
        text=True,
Confidence
98% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, shell=True, env=os.environ.copy() )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands and reads/writes local files, including saving exported Flomo note data to /tmp, but it declares no permissions or trust boundaries. This creates a real security issue because users and policy systems are not clearly informed that sensitive personal notes may be exported locally and handled through code-capable operations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script persists the full fetched memo contents to /tmp even though its stated purpose is retrieval and quality analysis. Because memos can contain sensitive personal data and /tmp is a shared, predictable location on many systems, this creates unnecessary local data exposure beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reaches into the user's home directory for a mcporter configuration file and forwards the entire process environment to the subprocess. This exceeds the minimum capability needed for monthly memo retrieval and can expose secrets, tokens, or other sensitive execution context to downstream tooling or logs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to activate on general requests like fetching historical records or evaluating note quality, which can cause the skill to run in contexts where the user did not specifically consent to exporting a full month of private notes. Because the skill handles highly sensitive personal content, overbroad activation increases the chance of unintended data access and local persistence.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation states that complete note data is saved to /tmp but does not clearly warn that this may include sensitive personal content and metadata. This is dangerous because /tmp is a transient shared local location on many systems, increasing the risk of unintended exposure, mishandling, or retention of private note archives.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill performs external tool invocation and data retrieval in the normal execution path without an explicit user-facing warning or consent step. In a personal-notes context, silent retrieval of potentially sensitive memo history increases privacy risk and reduces informed user control.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes retrieved memo data to /tmp without explicit prior notice in the normal flow. Since flomo notes are likely sensitive personal content, unexpected persistence materially increases privacy and confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal