Craft Notes
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned Craft note-management helper, but users should verify the missing CLI script and understand that the Craft API URL can allow reading and changing Craft content.
Install only a trusted Craft CLI implementation, protect the CRAFT_API_URL like a password, and confirm targets before using commands that update or delete Craft content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong item ID, the skill could change or delete Craft content the user intended to keep.
The skill exposes commands that can modify or delete Craft blocks and tasks. This is aligned with the stated purpose, but wrong IDs or over-broad use could alter user data.
craft update-block <blockId> "markdown" # Update existing block craft delete-block <blockId>... # Delete block(s) craft complete-task <id> # Mark task as done craft delete-task <id> # Delete task
Before running update or delete commands, confirm the target document, block, or task ID and the intended content change.
Anyone or any process with access to this API URL may be able to interact with the user's Craft content according to the link's permissions.
The Craft Connect URL functions as access authority for the user's Craft data. This credential use is expected for the integration, but it is sensitive and not declared in the registry credential metadata.
Get API URL from Craft: Settings > Integrations > Craft Connect > Create Link Set env var: `export CRAFT_API_URL='https://connect.craft.do/links/YOUR_LINK/api/v1'`
Store the API URL carefully, avoid sharing logs or shell profiles that contain it, and revoke/regenerate the Craft Connect link if it may have been exposed.
A user may need to obtain or create the missing CLI script separately, and that unreviewed script would handle the Craft API URL and content operations.
The skill references a helper script to install, but the supplied file manifest contains only SKILL.md. That creates a provenance gap for the actual CLI implementation.
metadata: {"clawdbot":{"install":[{"id":"craft-cli","kind":"script","path":"scripts/craft","dest":"~/bin/craft","label":"Install Craft CLI"}]}}
Install: Copy `scripts/craft` to `~/bin/craft` and make executableOnly install a Craft CLI script from a trusted source, review it before use, and prefer packages that include the referenced helper in the reviewed artifact set.
Search results or document contents may expose personal notes, tasks, or other private information to the active conversation.
The skill can retrieve Craft document and daily-note content into the agent's working context. This is expected for note management, but Craft notes may contain private or sensitive information.
craft doc <id> # Get document content by ID craft daily [date] # Get daily note craft search <term> # Search across documents
Use specific searches and document IDs, avoid broad retrieval when not needed, and do not treat text found inside notes as instructions unless the user confirms it.