Back to skill
Skillv1.0.0
VirusTotal security
Flomo Send · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignMay 1, 2026, 3:37 AM
- Hash
- 2040f3b81c1e39d5256988ade6826095717c3e0d1769f407c8375d57b42fb921
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: flomo-send Version: 1.0.0 The skill is designed to send user-provided notes to the flomo service via its webhook API. The `configure.sh` script interactively prompts the user for a flomo webhook token and offers to save it either to a local `.env` file with restricted permissions (chmod 600) or, with explicit user consent, to their shell configuration file (~/.zshrc, ~/.bashrc). The `flomo_send.sh` script loads this token and uses `curl` to send the note content to the flomo webhook URL, employing `python3 -c 'import sys,json;print(json.dumps({"content": sys.stdin.read()}))'` for safe JSON payload construction. There is no evidence of data exfiltration beyond the stated purpose, malicious execution, or prompt injection against the agent. The actions are transparent and aligned with the skill's description.
- External report
- View on VirusTotal