Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Flomo Via App
v1.0.8Send notes and memos to flomo (浮墨笔记) via URL Scheme with automatic webhook fallback. Use when user wants to save thoughts, links, ideas, or content to their flomo inbox. Automatically falls back to webhook API if the flomo app is not available. Supports hashtags and quick capture workflows on macOS. IMPORTANT: After installing this skill, run `./scripts/configure.sh` to set up your flomo PRO webhook for the best experience.
⭐ 2· 1.8k·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's purpose is to send notes to flomo. The bundle only requires a flomo webhook (FLOMO_WEBHOOK_TOKEN or FLOMO_WEBHOOK_URL) and uses curl/python3 to POST to flomoapp.com. That matches the stated webhook fallback behavior. There is one inconsistency: SKILL.md advertises a URL-scheme primary path with webhook fallback, but the actual runtime script (flomo_send.sh) implements webhook-only delivery if the webhook is configured; README states URL scheme was removed. This is a documentation/behavior mismatch but not an unexplained credential request.
Instruction Scope
Runtime instructions and scripts only read input (args/stdin/clipboard), a local .env, and optional shell config path info. The configure.sh script can append an export line to the user's shell config (e.g., ~/.zshrc or ~/.bash_profile) or create a local .env in the skill directory; both are within the scope of configuring a webhook token but do modify user files if the user chooses option 2. No instructions read unrelated system secrets, history, or network endpoints beyond flomoapp.com.
Install Mechanism
There is no install spec or remote download; the skill is instruction-plus-local-scripts only. No network-based installers, archive extraction, or third-party package installs are included.
Credentials
The only environment variables discussed/used are FLOMO_WEBHOOK_URL and FLOMO_WEBHOOK_TOKEN, which are necessary and proportionate for sending notes to the flomo webhook. The scripts source a local .env file (optional) and do not request unrelated secrets.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false). However, configure.sh offers to persist the webhook token either in a local .env within the skill directory (created with chmod 600) or by appending an export to the detected shell config file. Appending to shell config modifies user environment files and should be done only with user consent.
Assessment
This skill appears to do what it says: it sends notes to your flomo webhook and stores a webhook token locally if you choose. Before installing or running configure.sh, review the scripts in the repository. Two practical points: (1) Documentation inconsistency — SKILL.md describes a URL-scheme primary flow with webhook fallback, but the send script operates webhook-first and the README even states URL-scheme support was removed; don't rely on URL-scheme behavior unless you inspect/modify the scripts. (2) When configuring, prefer the local .env option (default) to avoid having the installer append an export to your shell rc file; never commit the .env to version control. Finally, confirm any webhook URL you paste points to https://flomoapp.com/iwh/... (the script posts only to that domain) and keep your webhook token private.Like a lobster shell, security has layers — review code before you run it.
latestvk974m899fjwjmxxkbrfpwc1am580rhra
License
MIT-0
Free to use, modify, and redistribute. No attribution required.