Flomo Random Walk
AdvisoryAudited by VirusTotal on Apr 23, 2026.
Overview
Type: OpenClaw Skill Name: flomo-random-walk Version: 1.0.0 The skill bundle contains a hardcoded API token (fmcp_P7Oq8XKWAEGE7544Rle0SWxkMPNhFWh3n-ExYX1rjes) directly within the SKILL.md file, which is a significant security risk. While the logic for the 'random walk' through Flomo notes appears to align with the stated purpose, hardcoding credentials instead of utilizing secure environment variables or a dedicated secrets manager is highly irregular. The skill also instructs the agent to log activity to a local file (memory/flomo-random-walk-history.json), which is standard behavior but should be monitored.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The embedded token could expose or misuse a Flomo account, and users may unknowingly browse notes tied to that token instead of their own account.
The skill embeds a Flomo bearer credential for account access, despite the registry metadata declaring no primary credential or required environment variables.
## API 凭证 ... Token: `fmcp_P7Oq...rjes` ... MCP URL: `https://flomoapp.com/mcp`
Remove the embedded token, revoke and rotate it, and require each user to provide their own Flomo token through a declared secret or environment variable.
When used, the agent will contact Flomo and read note content from the authorized account.
The skill uses direct Flomo MCP/API calls to retrieve notes. This is expected for the stated random-walk purpose, but it gives the agent access to private note data when invoked.
curl -X POST "https://flomoapp.com/mcp" ... "method":"tools/call","params":{"name":"get_daily_review"Use only with a trusted, user-owned Flomo token and verify the account and requested actions before running the walk.
Future sessions or anyone with access to the memory file may see which notes and tags were explored.
The skill persists walk history containing note IDs and tags. This is disclosed and related to the feature, but it stores private-note metadata for later reuse.
记录到 `memory/flomo-random-walk-history.json` ... "path": ["id1", "id2", "id3"], "start_tag": "Resource/AI", "end_tag": "Project/出海"
Make history storage optional, document retention and deletion, and avoid storing full note content or unnecessary identifiers.