ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AFFiNE Skill

v1.0.0

Command-line tool to manage Affine documents, tags, folders, databases, comments, journals, and workspaces on cloud or self-hosted servers.

0· 18·0 current·0 all-time
by木炭@woodcoal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and included command docs all match a CLI for managing AFFiNE resources. However, registry metadata in the package (earlier summary) lists no required env vars or binaries while SKILL.md declares node/npm and AFFINE_API_TOKEN as required — this metadata mismatch is unexpected and should be clarified.
Instruction Scope
SKILL.md is instruction-only and tells users/agents to run the affine-cli binary, obtain an AFFINE_API_TOKEN, and that configuration is loaded from env > local .env > ~/.affine-cli/affine-cli.env. Referencing these config files and environment variables is reasonable for a CLI, but it does tell the agent/user where credentials may be stored and that tokens may be saved to global config (writes to ~/.affine-cli). This is normal for a CLI but worth awareness.
Install Mechanism
There is no install spec in the registry (instruction-only). The docs recommend npm install -g affine-cli or npx, which is a standard distribution method. Because the skill doesn't include an install script, the installation risk is limited to whatever the npm package itself does — verify the npm package and GitHub repo before installing.
!
Credentials
The runtime docs require AFFINE_API_TOKEN (and optionally AFFINE_BASE_URL, AFFINE_WORKSPACE_ID), which are appropriate for a tool that talks to AFFiNE. The concern is the package metadata bundled with the skill lists no required env vars or binaries while SKILL.md explicitly lists them — this discrepancy could mislead automated checks or users about what secrets the skill needs.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It documents that the CLI can persist tokens to local or global config files — typical behavior for a CLI and limited in scope to the user's home directory.
What to consider before installing
This is an instruction-only skill that documents how to use the external 'affine-cli' npm package. Before installing or using it: 1) verify the npm package and linked GitHub repo (https://github.com/woodcoal/affine-cli) are legitimate and review their code/README; 2) confirm the AFFINE_API_TOKEN scope and rotate it after use if you store it; 3) prefer saving tokens to a project-local .env rather than a global ~/.affine-cli file if you want to limit exposure; 4) note the registry metadata contradicts SKILL.md about required binaries/env — ask the publisher to correct metadata or refuse installation until clarified; and 5) if you run the CLI, inspect what the npm package does at install/run time (postinstall scripts, network calls) before granting it access to tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezyct76abp4zm0qc19zw14184p9fq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments