Flomo Notes
v0.1.0Save notes to Flomo via the Flomo inbox webhook. Use when the user says "save to flomo", "记录到 flomo", "flomo note", or asks to store a note in flomo.
⭐ 4· 2.3k·4 current·5 all-time
byRobert Shaw@xiaoluoboding
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name, description, and code all align with the stated purpose: sending a note to a Flomo inbox webhook. Requesting a Flomo webhook URL is appropriate for this function.
Instruction Scope
SKILL.md instructs the agent to run `bash scripts/save_to_flomo.sh "<note text>"` (passing the text as a command-line argument), but the script reads the note from stdin (NOTE="$(cat)"). That mismatch means an agent that follows SKILL.md may hang or send an empty note. The instructions do otherwise stay within scope (they only post to the Flomo webhook), but the invocation mismatch is a functional and security-relevant inconsistency that should be fixed.
Install Mechanism
No install spec is provided (instruction-only with a small script), which is low-risk. However the README and script rely on curl and python3; the skill registry metadata lists no required binaries. The missing declared runtime binaries is an inconsistency (operational, not necessarily malicious).
Credentials
SKILL.md and the script require FLOMO_WEBHOOK_URL (and explicitly label it as a secret), but the skill's registry metadata reported 'Required env vars: none'. The single webhook secret is proportionate to the purpose, but the metadata omission is misleading and may cause an agent or integrator to run the skill without supplying the required credential.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not claim elevated persistence or modify other skills. This is appropriate for the stated function.
What to consider before installing
This skill appears to do what it says (POST a note to your Flomo webhook) but there are a few issues to resolve before trusting it: (1) SKILL.md/README do not declare the required FLOMO_WEBHOOK_URL in the registry metadata — ensure you set FLOMO_WEBHOOK_URL in your OpenClaw config or environment before use. (2) The documentation shows invoking the script with an argument, but the script reads from stdin; to test safely, run: echo "your note" | FLOMO_WEBHOOK_URL="https://flomoapp.com/iwh/XXX" bash scripts/save_to_flomo.sh. (3) Make sure curl and python3 are available on the host. (4) Treat the webhook URL as a secret — anyone with it can post to your Flomo. Fixing the invocation mismatch (either change the script to accept an argument or update the docs to pipe input) and updating registry metadata to list FLOMO_WEBHOOK_URL and required binaries will resolve the main concerns.Like a lobster shell, security has layers — review code before you run it.
latest
Robert Shaw@xiaoluoboding
Downloadflomo-notes
Save notes to Flomo using a single webhook POST.
Setup
Provide your Flomo inbox webhook URL via environment variable:
FLOMO_WEBHOOK_URL(required), example:https://flomoapp.com/iwh/XXXXXXXX
You can set it either:
- In
~/.openclaw/openclaw.json(recommended):
{
skills: {
entries: {
"flomo-notes": {
env: {
FLOMO_WEBHOOK_URL: "https://flomoapp.com/iwh/XXXXXXXX"
}
}
}
}
}
- Or in your shell/service environment:
export FLOMO_WEBHOOK_URL="https://flomoapp.com/iwh/XXXXXXXX"
How the skill works
When triggered, run:
bash scripts/save_to_flomo.sh "<note text>"
Example prompts (to trigger)
save to flomo: buy milk, eggs记录到 flomo:下周美股大事件...
Script manual test
FLOMO_WEBHOOK_URL="https://flomoapp.com/iwh/XXXXXXXX" \
bash scripts/save_to_flomo.sh "hello from openclaw"
Security
Treat the webhook URL like a secret: anyone with it can post into your Flomo inbox.
Comments
Loading comments...