reMarkable Cloud
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: remarkable Version: 1.1.0 The skill is classified as suspicious due to the installation of a third-party binary from source and the use of external command execution. Specifically, `SKILL.md` instructs the agent to `git clone` and `go build` the `rmapi` tool from GitHub, which introduces a supply chain risk. Additionally, `scripts/article2ebook.py` uses `subprocess.run` to execute `cupsfilter` for PDF conversion, which, while mitigated by filename sanitization, is an external command execution based on content derived from a user-provided URL. These capabilities, though plausibly needed for the stated purpose, carry inherent risks without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The rmapi session can be reused for later reMarkable Cloud operations such as listing, uploading, and creating folders.
This shows the skill depends on reMarkable account authentication and a persistent local token cache. That is expected for cloud access, but it is a credential boundary users should notice.
First run will prompt for a one-time code from https://my.remarkable.com/device/browser?showOtp=true ... Auth tokens are cached by rmapi at `~/.rmapi`
Authenticate only on a trusted machine, protect the ~/.rmapi token cache, and revoke or remove the cached session if you stop using the skill.
The installed rmapi binary will be used for authenticated reMarkable Cloud access.
The setup installs a third-party CLI from the current GitHub branch without pinning a commit, release, or checksum. rmapi is central to the skill, but users should review its provenance before installing.
cd /tmp && git clone --depth 1 https://github.com/ddvk/rmapi.git cd rmapi && go build -o /usr/local/bin/rmapi .
Prefer a trusted release or pinned commit, review the rmapi source or package provenance, and avoid elevated installation permissions unless necessary.
A mistaken command could upload the wrong document or create unwanted folders that sync to the device.
The wrapper can upload documents/articles and create folders in the user's reMarkable Cloud account. This is purpose-aligned and user-directed, but it is still account-mutating authority.
$RMAPI put --coverpage=0 "$FILE_PATH" "$DIR" ... $RMAPI mkdir "$DIR_PATH"
Confirm the file, URL, format, and destination folder before running upload or send-article commands.