Reflect Notes
PassAudited by ClawScan on May 1, 2026.
Overview
This skill does what it says—writes user-provided content to Reflect—but users should understand it uses a Reflect access token and can persist chat content in their note graph.
This skill appears safe for its stated purpose. Before installing, be aware that it uses your Reflect token to add content to your Reflect graph and may store chat-derived notes, todos, links, or summaries there. Use it only for information you intend to keep in Reflect, and protect or revoke the token as you would any account credential.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide a Reflect access token, which lets the helper act on the selected Reflect graph according to that token's permissions.
The skill requires a Reflect bearer token and graph ID to access the user's Reflect account, while registry metadata does not declare a primary credential. This credential use is expected for the integration and is clearly disclosed.
export REFLECT_TOKEN="your-access-token" export REFLECT_GRAPH_ID="your-graph-id"
Use a token intended only for this Reflect workflow if possible, keep it out of chat logs and shared files, and revoke it if you stop using the skill.
The agent can add persistent notes or links to your Reflect graph when this skill is used.
The helper script can write to daily notes, create notes, and save links in Reflect. These are account-mutating API calls, but they match the skill's advertised purpose.
curl -s -X PUT "$API_BASE/daily-notes" ... curl -s -X POST "$API_BASE/notes" ... curl -s -X POST "$API_BASE/links" ...
Use the skill for content you intentionally want saved, and review prompts that ask the agent to write large or sensitive material to Reflect.
Private chat content, todos, summaries, or reminders may be stored in Reflect if the skill is asked to save them.
The stated purpose includes persisting conversation-derived information into an external knowledge graph, which may later be used as personal context or records.
Use for capturing thoughts, todos, or syncing information to your knowledge graph.
Avoid saving secrets, credentials, or sensitive personal information unless you explicitly want that information persisted in Reflect.
The helper may fail or behave differently if curl or jq are missing or replaced by unexpected local binaries.
The script depends on jq and curl even though the registry requirements list no required binaries. This is not suspicious by itself, but it is an under-declared local dependency.
PAYLOAD=$(jq -n ...) curl -s "$API_BASE/links" ... | jq .
Confirm curl and jq are installed from trusted sources before using the helper script.