reMarkable Cloud
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The rmapi session can be reused for later reMarkable Cloud operations such as listing, uploading, and creating folders.
This shows the skill depends on reMarkable account authentication and a persistent local token cache. That is expected for cloud access, but it is a credential boundary users should notice.
First run will prompt for a one-time code from https://my.remarkable.com/device/browser?showOtp=true ... Auth tokens are cached by rmapi at `~/.rmapi`
Authenticate only on a trusted machine, protect the ~/.rmapi token cache, and revoke or remove the cached session if you stop using the skill.
The installed rmapi binary will be used for authenticated reMarkable Cloud access.
The setup installs a third-party CLI from the current GitHub branch without pinning a commit, release, or checksum. rmapi is central to the skill, but users should review its provenance before installing.
cd /tmp && git clone --depth 1 https://github.com/ddvk/rmapi.git cd rmapi && go build -o /usr/local/bin/rmapi .
Prefer a trusted release or pinned commit, review the rmapi source or package provenance, and avoid elevated installation permissions unless necessary.
A mistaken command could upload the wrong document or create unwanted folders that sync to the device.
The wrapper can upload documents/articles and create folders in the user's reMarkable Cloud account. This is purpose-aligned and user-directed, but it is still account-mutating authority.
$RMAPI put --coverpage=0 "$FILE_PATH" "$DIR" ... $RMAPI mkdir "$DIR_PATH"
Confirm the file, URL, format, and destination folder before running upload or send-article commands.