Zettelkasten - 卡片笔记
ReviewAudited by ClawScan on May 10, 2026.
Overview
The note-taking functionality is mostly coherent, but the package includes a separate publishing script that can read ClawHub credentials and upload the current folder, which is not needed for taking notes.
Review or remove publish.sh before installing or using this package. The note-taking code itself appears locally focused, but only run the publishing script if you deliberately want to publish the skill and have checked exactly what directory will be archived and uploaded.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this script is run manually or by an agent, private files in the current folder could be uploaded as part of a skill archive.
The bundled script archives the entire current directory and uploads it to a remote API. That broad upload path is unrelated to the note-taking skill and could include unintended files if the script is run from the wrong directory.
tar -czf zettelkasten-1.0.0.tar.gz . ... curl -X POST "https://api.clawhub.com/v1/skills" ... -F "archive=@zettelkasten-1.0.0.tar.gz"
Do not run publish.sh unless you are intentionally publishing the package. The publisher should use an explicit file list and exclude generated note databases, credentials, and unrelated files.
Running the script would use your ClawHub account authority to publish or upload content.
The script reads a local ClawHub bearer credential, even though the skill metadata declares no primary credential and credential access is not needed for the stated note-taking purpose.
-H "Authorization: Bearer $(cat ~/.clawhub/credentials)"
Remove publish.sh from user-installed packages, or clearly document it as a developer-only tool requiring explicit approval and a narrowly scoped token.
Ideas you enter can be saved locally and resurfaced in future reviews or connection suggestions.
The skill persists user cards in a local JSON database for later connection detection and daily review, which is expected for a notes system but means entered content is retained.
self.db_file = f"zettelkasten_{self.user_id}_db.json" ... json.dump(self.cards, f, ensure_ascii=False, indent=2)Avoid entering secrets unless you are comfortable storing them locally, and know where the JSON database is created so you can back it up or delete it.