ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Joplin Notes

v1.0.0

Interface for managing Joplin notes via WebDAV. Allows listing notebooks and notes, reading content (first line = title), and creating or updating notes and...

0· 112·0 current·0 all-time
by@martin004

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for martin004/joplin-notes.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Joplin Notes" (martin004/joplin-notes) from ClawHub.
Skill page: https://clawhub.ai/martin004/joplin-notes
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install joplin-notes

ClawHub CLI

Package manager switcher

npx clawhub@latest install joplin-notes
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and the included scripts (list/get/upsert/create) are coherent with a Joplin-over-WebDAV integration. However, the registry metadata claims no required environment variables while the scripts and SKILL.md clearly require JOPLIN_WEBDAV_PATH, JOPLIN_ACCOUNT, and JOPLIN_PASSWORD — this mismatch is surprising and should be fixed.
Instruction Scope
SKILL.md and the scripts instruct the agent to run the included Python scripts (via exec examples) and to create temporary files for uploads; all runtime actions are limited to contacting the configured WebDAV endpoint and reading/writing .md files. The SKILL.md hardcodes an absolute path to the skill workspace in its exec examples, which is brittle but not directly malicious. The scripts do not read unrelated system files or other secrets.
Install Mechanism
There is no external installer or download; all code is bundled with the skill. That avoids third‑party fetches, which is good. The scripts use subprocess to call curl and other local Python scripts (no shell construction vulnerabilities in current usage).
!
Credentials
The scripts require three sensitive environment variables (JOPLIN_PASSWORD, JOPLIN_ACCOUNT, JOPLIN_WEBDAV_PATH) to function. Those are appropriate for a WebDAV-backed Joplin skill, but the registry metadata incorrectly lists no required env vars and no primary credential — this omission prevents users/administrators from understanding the credential needs up front and increases risk of accidental exposure. Requesting a WebDAV password is expected for the feature, but it should be declared transparently.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system privileges, and does not alter other skills' configs. It writes temporary files under /tmp and performs uploads only to the configured WebDAV URL.
What to consider before installing
This skill appears to do what it claims (manage Joplin .md files over WebDAV), but the package metadata fails to declare the sensitive environment variables the scripts actually require (JOPLIN_WEBDAV_PATH, JOPLIN_ACCOUNT, JOPLIN_PASSWORD). Before installing: (1) only provide WebDAV credentials if you trust the skill source and host the WebDAV server you intend to use; (2) review the included scripts yourself (they are bundled) to confirm there are no hidden endpoints or behaviors; (3) update or ask the publisher to correct the registry metadata so required env vars are visible to users; (4) consider running the skill in an isolated environment or container, and avoid giving it credentials with broader reuse than necessary; (5) note the SKILL.md uses a hardcoded workspace path in its exec examples—ensure the runtime path matches your agent's installation or adjust the commands accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk976prgjb4tjja3ybh4f291ken83a2k0
112downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@martin004
latest
Download

Joplin Notes Skill

This skill provides programmatic access to a Joplin database synchronized via WebDAV.

How it Works

Joplin stores notes and notebooks as .md files in a flat directory. They are linked via metadata at the end of the file (id, parent_id, type_).

  • Title: The first line of the file is the title of the note or notebook.
  • Notebook: A special file type (type_: 2) that serves as a container for notes.
  • Note: A standard file (type_: 1) assigned to a notebook via parent_id.

Available Scripts

The scripts are located in scripts/ and require the following environment variables:

  • JOPLIN_PASSWORD: The password for WebDAV access.
  • JOPLIN_ACCOUNT: The username for Joplin (e.g., openclaw).
  • JOPLIN_WEBDAV_PATH: The full path to the Joplin directory on the WebDAV server.

1. List Notes (list_notes.py)

Outputs the entire structure of notebooks and their contained notes.

  • Usage: python3 scripts/list_notes.py

2. Get Note Content (get_note.py)

Reads the content of a specific note by its ID.

  • Usage: python3 scripts/get_note.py <note_id>

3. Upsert Note/Notebook (upsert_note.py)

Updates an existing note or creates a new one. Supports notebooks via the type parameter.

  • Usage: python3 scripts/upsert_note.py <note_id|new> <parent_id> <content_file> [type (1=note, 2=notebook)]

4. Create Notebook (create_notebook.py)

Creates a new notebook.

  • Usage: python3 scripts/create_notebook.py <title> [parent_notebook_id]

Workflow Examples

Query Structure

  1. exec("python3 /home/openclaw/.openclaw/workspace/skills/joplin-notes/scripts/list_notes.py")
  2. Analyze the output to find the desired note_id or notebook_id.

Read Note Content

  1. exec("python3 /home/openclaw/.openclaw/workspace/skills/joplin-notes/scripts/get_note.py <note_id>")

Edit or Create Note

  1. Download the current content with get_note.py (if editing).
  2. Create a temporary file with the new content (include the title in the first line).
  3. Call upsert_note.py.

Comments

Loading comments...