ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Keep Skill

v1.0.1

Integration with Google Keep via nodriver (undetectable Chrome). Creates, reads, updates, and deletes notes.

0· 365·0 current·0 all-time
by@ricardoreichert
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Google Keep via undetected Chrome) match the code and SKILL.md: the package uses nodriver, controls a Chrome profile, and implements CRUD operations for Keep. There are no unexplained environment variables, credentials, or unrelated binaries requested.
Instruction Scope
Runtime instructions tell the agent to run local CLI commands (uv run python scripts/keep.py ...) and to perform a one-time manual login that saves a Chrome profile and cookies under ~/.config/google-keep-skill/. The SKILL.md explicitly forbids reading or exfiltrating that session directory. This scope is coherent for a browser-automation Keep integration, but the saved session is sensitive and the agent will have the capability to run arbitrary local commands when invoked to use the skill.
Install Mechanism
No archive downloads or remote arbitrary executables. Dependencies are managed via uv/pyproject.toml and the nodriver Python package (PyPI). No install URLs or extract steps that would write unknown code to disk beyond normal dependency installation.
Credentials
The skill requires no environment variables or external API keys and uses manual login to obtain an authenticated session. It persists cookies and a Chrome profile in the user's home directory (~/.config/google-keep-skill/), which is necessary for headless reuse but is sensitive; the storage is restricted to the skill's own path, not other system config.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and only writes to its own config path under the user's home. It does create/restore CDP cookies and a user-data-dir profile for Chrome, which is expected for this functionality.
Assessment
This skill is internally consistent with its stated purpose, but it operates on a real authenticated Chrome profile so treat it like any tool that holds your session cookies. Before installing or running it: 1) Review the nodriver package provenance (PyPI maintainer, recent releases) since it gains powerful browser control. 2) Consider using a dedicated Google account for automation so your primary account's cookies aren't reused. 3) Verify ~/.config/google-keep-skill/ permissions (should be 700/600) and avoid sharing that directory; clear the session (uv run python scripts/keep.py logout or clear) when done. 4) Inspect the code (auth.py/keep.py) yourself or run it in an isolated environment (container or VM) if you cannot fully trust the package source. 5) If you plan to allow autonomous agent invocation, remember the agent will be able to execute the CLI commands locally—limit that capability or require explicit user confirmation for destructive operations (delete/archive).

Like a lobster shell, security has layers — review code before you run it.

latestvk970yzf09avpyqycv18n202at1825xds

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments