Back to skill

Security audit

Flomo Via App

Security checks across malware telemetry and agentic risk

Overview

This skill sends user-selected notes to Flomo and has some documentation and credential-storage caveats, but the reviewed artifacts do not show hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending selected notes to Flomo over the network and storing a Flomo webhook token locally. Prefer the default local .env option over shell startup files, treat the webhook URL/token as a secret, and rely on the current script as webhook-based despite older URL-scheme wording in SKILL.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill documentation claims a local macOS URL-scheme path with automatic fallback, but the analyzer indicates the implementation only uses webhook delivery. This mismatch can mislead users into exposing webhook tokens, trusting local-only behavior that does not exist, or using the skill in environments where data is unexpectedly transmitted to remote servers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells users to copy and use a personal webhook URL but never states that the URL itself is effectively a bearer secret. If the tokenized URL is exposed in screenshots, repos, logs, shell history, or shared examples, anyone who obtains it can post arbitrary notes into the user's flomo inbox.

External Transmission

Medium
Category
Data Exfiltration
Content
PAYLOAD="{\"content\": \"$ESCAPED\"}"
    fi

    RESP=$(curl -sS -w "\n%{http_code}" -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d "$PAYLOAD" || true)
    HTTP_STATUS=$(echo "$RESP" | tail -n1)
    BODY=$(echo "$RESP" | sed '$d')
Confidence
83% confidence
Finding
curl -sS -w "\n%{http_code}" -X POST "$WEBHOOK_URL" -H "Content-Type: application/json" -d

Credential Access

High
Category
Privilege Escalation
Content
set -e

# Load local .env if present (export variables so they're available to curl/python)
ENV_FILE="$(dirname "$0")/../.env"
if [ -f "$ENV_FILE" ]; then
    set -o allexport
    # shellcheck disable=SC1090
Confidence
79% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.