ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flomo笔记同步

v1.0.0

快速同步内容到flomo笔记,支持自动标签识别、内容格式化。使用当用户提到:同步到flomo、存到flomo、发送到flomo、flomo记录、记到flomo、#flomo 等关键词时触发。

0· 62·0 current·0 all-time
by@ranhuang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (sync to flomo) aligns with the included script: the script reads a webhook URL and POSTs note content to it. However, the registry metadata claims no required config paths or credentials while both SKILL.md and scripts/flomo.sh require a ~/.flomo_token file — a manifest mismatch that should have been declared.
Instruction Scope
SKILL.md and the script are narrowly scoped: they read the webhook from ~/.flomo_token and send provided content to that webhook. The instructions do not request unrelated files, environment variables, or external endpoints beyond the webhook. They do, however, rely on running curl and jq (used in the script) which are not listed in the manifest.
Install Mechanism
No install spec (instruction-only) and the included script is a small shell file bundled with the skill. There are no remote downloads or archive extraction steps. This is low-risk from an install-source perspective.
Credentials
The only secret/credential involved is the flomo webhook URL stored in ~/.flomo_token, which is proportionate to the stated purpose. But the skill metadata did not declare this config path, and the script will transmit any content it is given to that webhook — users should ensure the webhook target is trusted and the token file is securely stored.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs only when invoked and has no elevated or persistent platform-wide privileges.
What to consider before installing
What to check before installing: - The script will read your flomo webhook URL from ~/.flomo_token and send any invoked content to that URL. Only install if you trust the webhook endpoint. - Ensure the webhook file is created by you and stored securely (e.g., chmod 600 ~/.flomo_token). Do not paste secrets from other services into that file. - The bundled script uses curl and jq; install those on your system or expect the skill to fail. The manifest should have listed these dependencies but did not. - The package metadata omits the required config path (~/.flomo_token). Ask the author to update the manifest to declare this dependency and required binaries. - Review the script (scripts/flomo.sh) yourself — it is short and straightforward; there are no hidden remote downloads or obfuscated behavior, but it will transmit user-provided content to the webhook. - If you are uncomfortable with any of the above (especially sending potentially sensitive text to the webhook), do not install or use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97drd9tc7v4mv7ae1w119583n8447ak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments