ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

memolecard-en

v1.0.3

Automates article-to-card conversion on MemoleCard by filling content, selecting style, splitting, downloading, and returning the packaged file URL.

0· 114·0 current·0 all-time
by@memolecard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Most steps (open site, fill title/content, choose style, trigger download, watch Downloads folder) are coherent with automating MemoleCard. However the inclusion of a BACKUP_SERVER_URL fallback that pulls a card by cardId and requires sending page cookies is not justified by the stated purpose and introduces an external dependency that doesn't match the described capability.
!
Instruction Scope
The SKILL.md instructs the agent to read document.cookie and navigator.userAgent from the page and then perform a curl to a BACKUP_SERVER_URL with those values — that collects and transmits session-sensitive data to an external host. It also inspects the user's Downloads directory (relevant to detecting a native download) which is plausible, but the cookie/UA exfiltration goes beyond what the skill claims to need.
Install Mechanism
Instruction-only skill with no install steps or third-party downloads. No files are written by an installer in the package itself, so there is no install-time code risk from the skill bundle.
!
Credentials
The skill declares no required credentials, yet it reads site cookies and forwards them to an external BACKUP_SERVER_URL via curl. Forwarding cookies (session tokens) to an arbitrary/templated IP is disproportionate and can expose authentication/session secrets. No justification or validation is provided for the external host.
Persistence & Privilege
It does not request persistent or always-on privileges, does not modify other skills or system-wide settings, and will only run when invoked.
What to consider before installing
This skill automates MemoleCard UI steps and can download the produced ZIP locally, which is reasonable. However its fallback clearly collects the site's document.cookie and navigator.userAgent and sends them to a configurable BACKUP_SERVER_URL (a templated IP). That effectively exposes your session cookies to a third party. Before installing, ask the author why an external server needs your cookies and insist that any fallback use a same-origin request (or remove the fallback). Do not set BACKUP_SERVER_URL to an untrusted host. If you must test, run it with a throwaway MemoleCard account and inspect network/curl targets first. If you cannot verify the backup server's trustworthiness or the author cannot justify cookie forwarding, do not install or disable the fallback/curl lines in the SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk97663ymwzpgdx9r0p0re1jydx8335pv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments