Reflect Notes
v1.0.0Append to daily notes and create notes in Reflect. Use for capturing thoughts, todos, or syncing information to your knowledge graph.
⭐ 1· 2.7k·16 current·18 all-time
bySergiy Dybskiy@sergical
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script and SKILL.md implement exactly what the name/description claim: appending to daily notes, creating notes, and saving links to reflect.app. However the skill registry metadata declares no required environment variables or binaries even though REFLECT_TOKEN and REFLECT_GRAPH_ID are clearly required at runtime — an inconsistency in the declared vs actual capabilities.
Instruction Scope
Runtime instructions are narrowly scoped to calling reflect.app API endpoints (append daily notes, create notes/links, list links/books/graphs). They do not instruct reading unrelated system files, nor do they exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only + helper script), which is low risk. The shipped shell script relies on curl and jq but the skill metadata did not declare those as required binaries — the missing declared dependency is an inconsistency to address (jq in particular may not be present on target systems).
Credentials
The required credentials (REFLECT_TOKEN and REFLECT_GRAPH_ID) are appropriate and proportional for writing to a Reflect graph. The problem is that the registry metadata lists none, so a user could install without realizing they must supply an access token; ensure these are set and stored securely. The SKILL.md's optional 1Password suggestion is benign but not enforced.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide configs. It can be invoked by the agent (normal), and will perform network writes to your Reflect account when given your token — a legitimate capability but remember autonomous agent invocation means the agent could write without manual approval if allowed.
What to consider before installing
This skill's code and instructions match its stated purpose (writing to Reflect) and are not outright malicious, but the registry metadata is inconsistent: it fails to declare the required env vars (REFLECT_TOKEN, REFLECT_GRAPH_ID) and does not list required binaries (curl, jq). Before installing: (1) verify the skill owner/source and that you trust https://reflect.app; (2) be prepared to provide a Reflect access token and graph id and store them securely (use a scoped token if possible); (3) ensure jq and curl are available on the agent environment; (4) remember anything sent to the skill will be written (append-only) to your Reflect — avoid sending secrets you don't want stored there; (5) consider running the script manually first to confirm behavior and update the registry metadata or ask the publisher to correct the declared requirements.Like a lobster shell, security has layers — review code before you run it.
latest
Reflect Notes Skill
Reflect is a networked note-taking app. Notes are E2E encrypted, so the API is append-only — we can write but not read note contents.
Setup
- Create OAuth credentials at https://reflect.app/developer/oauth
- Generate an access token from that interface
- Set environment variables:
export REFLECT_TOKEN="your-access-token" export REFLECT_GRAPH_ID="your-graph-id" # Find via: curl -H "Authorization: Bearer $REFLECT_TOKEN" https://reflect.app/api/graphs
Or store in 1Password and update scripts/reflect.sh with your vault/item path.
What We Can Do
- Append to daily notes — Add items to today's note (or a specific date)
- Create new notes — Create standalone notes with subject + markdown content
- Create links — Save bookmarks with highlights
- Get links/books — Retrieve saved links and books
API Reference
Base URL: https://reflect.app/api
Auth: Authorization: Bearer <access_token>
Append to Daily Note
curl -X PUT "https://reflect.app/api/graphs/$REFLECT_GRAPH_ID/daily-notes" \
-H "Authorization: Bearer $REFLECT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"text": "Your text here",
"transform_type": "list-append",
"date": "2026-01-25", # optional, defaults to today
"list_name": "[[List Name]]" # optional, append to specific list
}'
Create a Note
curl -X POST "https://reflect.app/api/graphs/$REFLECT_GRAPH_ID/notes" \
-H "Authorization: Bearer $REFLECT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"subject": "Note Title",
"content_markdown": "# Heading\n\nContent here...",
"pinned": false
}'
Create a Link
curl -X POST "https://reflect.app/api/graphs/$REFLECT_GRAPH_ID/links" \
-H "Authorization: Bearer $REFLECT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com",
"title": "Page Title",
"description": "Optional description",
"highlights": ["Quote 1", "Quote 2"]
}'
Get Links
curl "https://reflect.app/api/graphs/$REFLECT_GRAPH_ID/links" \
-H "Authorization: Bearer $REFLECT_TOKEN"
Helper Script
Use scripts/reflect.sh for common operations:
# Append to daily note
./scripts/reflect.sh daily "Remember to review PR #6"
# Append to specific list in daily note
./scripts/reflect.sh daily "Buy milk" "[[Shopping]]"
# Create a new note
./scripts/reflect.sh note "Meeting Notes" "# Standup\n\n- Discussed X\n- Action item: Y"
# Save a link
./scripts/reflect.sh link "https://example.com" "Example Site" "Great resource"
Use Cases
- Capture todos from chat → append to daily note
- Save interesting links mentioned in conversation
- Create meeting notes or summaries
- Sync reminders to Reflect for persistence
- Backlink to lists like
[[Ideas]]or[[Project Name]]
Limitations
- Cannot read note contents (E2E encrypted)
- Append-only — can't edit or delete existing content
- No search — can't query existing notes
Comments
Loading comments...