ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Manage Google Keep notes

v1.0.14

Google Keep notes via gkeepapi. List, search, create, manage notes. Add items to notes. Supports authorization via OAuth 2.0 Token.

0· 241·0 current·0 all-time
by@promptingpufferfish

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for promptingpufferfish/gkeep-notes.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Manage Google Keep notes" (promptingpufferfish/gkeep-notes) from ClawHub.
Skill page: https://clawhub.ai/promptingpufferfish/gkeep-notes
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gkeep-notes

ClawHub CLI

Package manager switcher

npx clawhub@latest install gkeep-notes
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and docs implement Google Keep operations via gkeepapi (list, search, create, add, archive, delete, pin, etc.), which aligns with the skill name/description. Requiring only python3 (and typical Python packages) is proportionate. The use of authentication helpers (gpsoauth) is consistent with needing account access, but the chosen auth approach is unusual.
!
Instruction Scope
SKILL.md and README instruct the user to obtain an oauth_token by opening accounts.google.com/EmbeddedSetup, using browser devtools to copy the oauth_token cookie, and pasting it into a generator script — i.e., manual extraction of session cookies. That is nonstandard, sensitive, and could lead to accidental exposure of session cookies or misuse. Instructions also ask the user to write the token to $HOME/.config/gkeep/token.json (plaintext). The runtime commands themselves are limited to gkeepapi operations and local file writes; no remote, arbitrary endpoints are contacted outside Google APIs, but the cookie-extraction step is the key issue.
Install Mechanism
No remote binary downloads or obscure installers: setup uses a Python venv and pip install -r requirements.txt. requirements.txt lists gkeepapi and Google client libraries, which are expected. No extract-from-URL installs or unusual third-party downloads are present.
Credentials
The skill declares no required environment variables and only optionally reads GKEEP_PASSWORD in login flow, which is reasonable. However the skill requires manual handling of a master token/session cookie and storing it in a local token.json; that storage is sensitive and not called out in the registry metadata. The number of secrets requested is small and relevant, but the method of obtaining the token (manual cookie copy or master login) is disproportionate compared to standard OAuth flows and increases risk of accidental credential disclosure.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill creates a venv in its workspace and writes a token file to $HOME/.config/gkeep/token.json; it does not request persistent system-wide privileges nor modify other skills. Storing a valid auth token locally grants broad access to the user's Google account until revoked, so the token file should be treated as a high-privilege artifact.
What to consider before installing
This skill appears to do what it claims (manage Google Keep) but its authentication guidance is nonstandard and risky. It tells you to copy a browser oauth_token cookie and paste it into a token file — doing so may expose a session token that can be used to access your Google account. Before installing or using it: (1) review the generate_token.py and gkeep.py code yourself or with someone you trust; (2) prefer an official OAuth client flow (google-auth-oauthlib) instead of copying cookies or using gpsoauth if possible; (3) if you must use this skill, store token.json with restrictive permissions (the script does set 0o600 on login path, but manual token creation may not), keep backups out of sync, and revoke the token from your Google account if you stop using the skill; (4) verify the gpsoauth library and the repo source (the listed homepage should be reviewed) and avoid pasting secrets into untrusted terminals or editors. If you are uncomfortable with manual cookie extraction or a nonstandard auth path, do not install the skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📝 Clawdis
Binspython3
latestvk97a13xb858n7qy1wekk1f60q183ff2t
241downloads
0stars
15versions
Updated 3h ago
v1.0.14
MIT-0
@promptingpufferfish
latest
Download

Google Keep Notes Skill 📝

WHEN TO USE

Use this skill when users ask to:

  • List Google Keep notes
  • Search notes by keyword
  • Create new notes
  • Add items to notes
  • Get specific note details
  • Archive/pin/delete notes

"List" = Google Keep note (not a bullet list)

SETUP (First Run Only)

  1. Creates venv + installs requirements automatically
  2. Manual call of generate_token.py from the shell, then copy & paste token to file $HOME/.config/gkeep/token.json.
gkeep.py list [--limit 10]                    # List notes
gkeep.py search "note_name"                   # Search notes  
gkeep.py get <note_id>                        # Get note details
gkeep.py create "note_name" "note_body"       # Create note
gkeep.py add <note_id> "new item"             # Add item to note
gkeep.py archive <note_id>                    # Archive note
gkeep.py delete <note_id>                     # Trash note
gkeep.py pin <note_id>                        # Pin note
gkeep.py unpin <note_id>                      # Unpin note

USAGE FLOW

1. User: "Show my <note_name>"
2. → gkeep.py list | grep <note_name> → note_id
3. → gkeep.py get <note_id> → show content
4. User: "Add milk to <note_name>"
5. → gkeep.py list | grep <note_name> → note_id 
6. → gkeep.py add <note_id> "milk"

EXECUTION TEMPLATE

cd ~/.openclaw/workspace/skills/gkeep-notes
source venv/bin/activate
python gkeep.py [command] [args]

TROUBLESHOOTING

❌ "No token" → manually generate token with generate_token.py and copy token into token.json
❌ "Module not found" → setup properly
❌ "API changed" → Check GitHub issues

NOTES

  • Unofficial API (may break if Google changes)
  • venv auto-created during setup
  • Note IDs from gkeep list output
  • Active project (updated March 2026)

Comments

Loading comments...