ClawHub

Flomo to Obsidian Sync Tool

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Flomo-to-Obsidian sync tool, but it needs review because it handles passwords/session data and can create ongoing sync jobs with misleading safety wording.

Install only if you are comfortable giving the skill access to your Flomo account data and the target Obsidian vault. Prefer manual export or the browser-session safe mode, do not paste your Flomo password into chat, treat .env and flomo_browser_data as sensitive account-access material, and review any cron or scheduled task before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill describes file read/write, shell execution, and network-driven browser automation, but declares no permissions or trust boundaries. That mismatch can cause an agent or platform to expose dangerous capabilities without clear user consent or policy enforcement, especially because the skill performs filesystem writes, credential handling, and scheduled execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README claims in the example dialogue that credentials will be 'encrypted' locally, but elsewhere explicitly instructs users to store FLOMO_EMAIL and FLOMO_PASSWORD in a plain-text .env file. This mismatch is dangerous because it can mislead users into disclosing secrets to the agent under a false security assumption and lowers informed consent about how credentials are actually handled.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation tells users that credentials are 'encrypted locally,' but elsewhere instructs writing them directly into a plaintext .env file. This is security-misleading documentation: users may disclose secrets under a false sense of protection, and the stored credentials are then exposed to local compromise, backups, logs, or accidental disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The report documents automated website login, UI interaction, and export/download behavior, which materially expands the skill from offline HTML conversion into live account automation. That broader capability increases attack surface because it enables authenticated actions against a third-party service and could be repurposed for unintended account access or data extraction beyond the user’s explicit export file.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Password-based credential ingestion from a .env file for a skill described as an HTML export converter is an unnecessary privileged capability. Storing and auto-entering credentials creates credential exposure risk through local file leakage, logs, backups, misconfiguration, or reuse in environments where secrets are not properly protected.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Persistent login-session storage gives the skill ongoing authenticated access beyond a one-time file conversion use case. If the local session data is copied, stolen, or reused by another process, an attacker may gain access to the user’s flomo account without needing the password.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The usage guide expands the skill from a local HTML import/conversion tool into an automation system that performs account login, handles credentials, and creates scheduled tasks. This capability expansion increases privilege and persistence beyond the stated scope, making it easier for an agent to justify collecting secrets and modifying the user's system without clear necessity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly instructs the agent to ask for the user's Flomo password in chat for automated login. Collecting account passwords through conversational prompts is dangerous because chat transcripts may be logged, retained, or exposed, and it trains users to disclose credentials to an agent unnecessarily.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guide authorizes creation and modification of recurring scheduled tasks that continuously execute sync commands and write into the user's vault. Persistence mechanisms like cron jobs or scheduled tasks are security-sensitive because they create ongoing automated execution and file modification beyond a one-time import workflow.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The documentation states the password 'will not be uploaded to any server,' but the described feature then uses that password to authenticate to Flomo over the network. This is a misleading security claim that can cause users to underestimate the sensitivity of the action and consent to credential handling they do not fully understand.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script adds repository-cleaning and documentation-rewriting behavior that is outside the stated flomo-to-obsidian import/sync function. While likely intended to prepare a repository for publication, bundling destructive cleanup into the skill increases the chance that a user or agent runs it in the wrong directory and deletes local data unrelated to normal note conversion.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The loop uses rm -rf on multiple files and directories in the current working directory after only a simple confirmation prompt. In an agent skill context, destructive deletion capability is dangerous because it is not required for the advertised import/sync behavior and could erase user data, logs, browser state, or sync state if invoked in the wrong location.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file markets itself as a "safe mode" that does not save passwords, but it launches a persistent Playwright browser profile and explicitly stores browser state under user_data_dir. Even if raw passwords are not stored by this script, authenticated session cookies and other browser data can be retained on disk, which can allow account access if that directory is exposed or reused unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script expands the skill from simple HTML export parsing into live account synchronization by requiring Flomo credentials from a local .env file. That adds a credential-handling surface not reflected in the stated parsing/import scope, increasing risk of secret exposure, accidental disclosure, and unsafe operational use.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script requires users to supply their email and password directly as positional command-line arguments, which can expose credentials through shell history, process listings, terminal logs, and CI job output. In the context of a sync tool handling personal note exports, this is a real credential-handling weakness because it encourages unsafe operational practices for a sensitive account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples encourage passing passwords directly on the command line and storing them in plaintext configuration files. Command-line arguments can be exposed via process listings, shell history, crash reports, and job schedulers, while plaintext config files are easily leaked through backups, accidental commits, or overly broad filesystem permissions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide includes a `clawhub delete flomo-to-obsidian --yes` command that performs an irreversible deletion, but it is presented in a routine FAQ section without an explicit warning, confirmation guidance, or recovery information. In a publishing/deployment guide, readers may copy-paste commands directly, so the lack of cautionary context increases the chance of accidental destructive action.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guide explicitly instructs users to provide their Flomo email and password directly to the AI, but gives no warning about credential handling, storage, retention, or safer alternatives. This is dangerous because users may disclose reusable secrets to an agent or platform they do not fully trust, enabling account compromise and downstream access if the credentials are logged, retained, or exposed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start text says the AI will automatically test sync, create scheduled tasks, and enable automatic running, but does not warn the user that this changes local system state and may create persistent background execution. That can lead to unintended automation, repeated credential use, privacy exposure, or system modifications without informed consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README prominently advertises seamless sync features but does not clearly warn up front that automatic sync writes into the user's Obsidian vault and can modify or overwrite note and attachment data. In an agent-driven workflow, this omission is risky because users may authorize actions without realizing local files will be altered on disk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The agent workflow says it may 'ask whether to create a scheduled task' but does not present this as a significant persistence-changing action with clear warning or consent language. Because scheduled execution persists beyond the immediate session, users may not fully appreciate that the skill can establish ongoing automatic activity on their system.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells users to run `echo $FLOMO_PASSWORD`, which reveals the secret directly on screen and can expose it through terminal recording, shoulder surfing, shared sessions, or captured logs. While this is framed as verification, instructing users to print credentials is an unsafe handling practice and unnecessarily increases the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The verification section instructs users to run `cat .env`, which will display the full contents of the environment file including email and password. This can leak credentials to anyone viewing the terminal and may persist in terminal transcripts, screenshots, or support logs if users share output while troubleshooting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs collection and local storage of a Flomo password without a strong warning about the risks of password retention, reuse, and local compromise. In context, this is more dangerous because the same skill also automates reuse of those credentials and normalizes asking for them in conversation.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill provides instructions to modify the user's crontab and persist automated execution, but does not clearly warn about system configuration changes, ongoing background behavior, log locations, or how to remove the task. This can create persistent execution of a credential-using sync job without sufficient informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal