Flomo Random Walk
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Flomo note-browsing purpose, but it embeds a Flomo access token and stores note-walk history, so users should review it before use.
Do not use this skill as-is. The embedded Flomo token should be removed and revoked, and the skill should be updated to require your own declared Flomo credential. If you install a corrected version, be aware that it reads Flomo note content and may save walk history locally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The embedded token could expose or misuse a Flomo account, and users may unknowingly browse notes tied to that token instead of their own account.
The skill embeds a Flomo bearer credential for account access, despite the registry metadata declaring no primary credential or required environment variables.
## API 凭证 ... Token: `fmcp_P7Oq...rjes` ... MCP URL: `https://flomoapp.com/mcp`
Remove the embedded token, revoke and rotate it, and require each user to provide their own Flomo token through a declared secret or environment variable.
When used, the agent will contact Flomo and read note content from the authorized account.
The skill uses direct Flomo MCP/API calls to retrieve notes. This is expected for the stated random-walk purpose, but it gives the agent access to private note data when invoked.
curl -X POST "https://flomoapp.com/mcp" ... "method":"tools/call","params":{"name":"get_daily_review"Use only with a trusted, user-owned Flomo token and verify the account and requested actions before running the walk.
Future sessions or anyone with access to the memory file may see which notes and tags were explored.
The skill persists walk history containing note IDs and tags. This is disclosed and related to the feature, but it stores private-note metadata for later reuse.
记录到 `memory/flomo-random-walk-history.json` ... "path": ["id1", "id2", "id3"], "start_tag": "Resource/AI", "end_tag": "Project/出海"
Make history storage optional, document retention and deletion, and avoid storing full note content or unnecessary identifiers.