ScanWow Sync

This skill appears to do what it says (receive OCR text via webhook and save it locally), but there are a few things to double-check before you install or run it: - Metadata mismatch: SKILL.md expects SCANWOW_TOKEN and SCANWOW_DIR environment variables, but the registry lists none. Make sure to set SCANWOW_TOKEN to a strong secret and configure SCANWOW_DIR to a safe directory before running. - Keep the server bound to 127.0.0.1 and use a trusted TLS tunnel (cloudflared/ngrok/Tailscale) rather than exposing plain HTTP. Verify the tunnel provider and URL you configure in the iOS app. - Protect the token: treat SCANWOW_TOKEN like any API secret (store in your secrets manager / environment, rotate if leaked). The app stores the token in iOS secure storage, but your webhook must verify it reliably. - Limit file write location: set SCANWOW_DIR to a dedicated, non-sensitive folder (not your home, not a system path). Review the code's filename sanitization—it's basic—so avoid exposing the server to untrusted networks. - Validate payloads: consider adding stronger JSON schema validation, logging, and rate-limiting. The example allows up to 5MB and writes text directly to disk; you may want additional checks (e.g., reject unexpectedly large text fields or suspicious characters). - Operational risk of tunnels: using public tunnels expands the attack surface—ensure you understand the tunnel provider's security model and do not reuse tokens across services. If you want to proceed, request the owner to update the registry metadata to declare SCANWOW_TOKEN (and optionally SCANWOW_DIR) so your secrets management and policy tooling can track the requirement. If you need higher assurance, ask for a signed or versioned implementation and the exact expected webhook URL and token handling details.