Skillv2.0.0

ClawScan security

Flomo to Obsidian Sync Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement what it claims (Flomo → Obsidian conversion and sync) but contains a few inconsistencies and practical risks you should understand before installing—most notably dialog-based collection/storage of account credentials and instructions that create persistent scheduled tasks and files on disk.
Guidance: Things to consider before installing and using this skill: - Credential handling: The skill documents two modes. Use 'safe mode' (browser-login session) when possible — it avoids storing your password. If you choose 'password mode', the skill asks you (via chat) for your Flomo credentials and writes them to a local .env file. Only proceed if you trust the agent and host environment; prefer entering credentials directly on your machine rather than pasting them into a remote/unknown agent UI. - Review files locally: The package contains Python scripts (auto_sync.py, convert_v2.py, etc.), shell scripts, and a clean_personal_data.sh. Inspect those scripts yourself (or run them in an isolated container/VM) to confirm there is no unexpected network upload or exfiltration beyond interacting with flomo's web UI. - Storage & permissions: If you use password mode, set strict permissions (chmod 600 .env) and verify .env is in .gitignore. Check for flomo_browser_data and any downloaded exports; remove them if not needed. - Scheduled tasks: The skill shows how to create cron jobs / use OpenClaw's scheduled_task_create. Creating persistent scheduled tasks is expected for automation but ensure the command executed by the job is safe and runs under the intended user account. - Playwright/Chromium: The sync process requires Playwright and will download a Chromium browser; be prepared for that download and run-time footprint. - Minimal privilege deployment: If you have doubts, run initial tests manually (one-time export + convert) rather than enabling full automation. Consider running automated mode inside a throwaway VM or container with limited network/credentials. - Verify claims: The docs state passwords/local data are not uploaded. If that guarantee matters to you, search the code for outbound network calls beyond connecting to flomo (e.g., non-flomo endpoints) before trusting automation. If you want, I can: (1) scan the Python scripts for network calls or suspicious patterns, (2) produce a short checklist of the exact files to inspect or whitelist, or (3) suggest a safe sequence of manual steps that avoids storing passwords.

Review Dimensions

Purpose & Capability: noteFunctionality (HTML→Markdown conversion, Playwright-driven export, attachment copying, cron/scheduled tasks) matches the name/description. It legitimately needs Flomo credentials for fully automated 'password mode' and filesystem access to the Obsidian vault. Minor inconsistency: registry metadata lists no required env vars while the runtime docs instruct creating a .env with FLOMO_EMAIL/FLOMO_PASSWORD or exporting env vars; the code bundle included indicates this skill is not purely 'instruction-only'.
Instruction Scope: concernSKILL.md and other docs explicitly instruct the agent to prompt the user in-chat for Flomo login credentials and Obsidian paths, to create/write a .env file, to open a browser session and persist browser data (flomo_browser_data), and to create cron/scheduled tasks. These actions are within the tool's stated purpose but carry sensitive scope (credential collection via conversation, writing secrets to disk, creating scheduled tasks) that increases risk if the agent or environment mishandles data or transmits it externally. The instructions assume the agent will run local shell scripts and use MCP to create scheduled tasks—both grant the skill broad ability to modify the host environment.
Install Mechanism: noteNo formal install spec in registry (declared 'instruction-only'), but the skill package includes many scripts and Python code. Dependencies are installed via pip and Playwright; Playwright will download a Chromium binary (expected for browser automation). There are no obscure or external binary download URLs in the provided docs, but running setup.sh/./sync.sh/Playwright will write files and download Chromium to the host—this is expected but worth noting.
Credentials: concernThe skill asks for FLOMO_EMAIL and FLOMO_PASSWORD in practice (creating .env, env var options, or interactive chat prompts) even though the registry lists no required env vars—this mismatch should be noted. Requesting the Flomo password is proportionate for a fully automated mode, but collecting it via agent conversation and storing it locally (.env) is sensitive. The docs claim passwords will be encrypted/local-only, but that is an implementation claim you should verify before trusting.
Persistence & Privilege: noteThe skill does not set always:true and does not appear to modify other skills. It does write persistent state locally (.env, flomo_browser_data, .flomo_sync_state.json, download directories) and provides instructions to create cron jobs or scheduled tasks. That persistence is consistent with its stated goal (automated periodic sync) but increases the blast radius if credentials or files are exposed or if the scheduled task runs in an environment you don't control.