ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supernote Cloud

v1.0.0

Access a self-hosted Supernote Private Cloud instance to browse files and folders, upload documents (PDF, EPUB) and notes, convert web articles to EPUB/PDF and send them to the device, check storage capacity, and navigate the directory tree. Use when the user mentions Supernote, e-ink device files, wants to upload/browse documents on their Supernote cloud, or wants to send an article/URL to their e-reader.

0· 1.8k·0 current·0 all-time
by@nickian
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (manage a self-hosted Supernote Private Cloud, upload articles/files, convert web pages) matches the included scripts (a CLI shell client and an article→ebook converter). The functionality present is coherent with the claimed purpose.
!
Instruction Scope
SKILL.md instructs the user to export SUPERNOTE_URL, SUPERNOTE_USER, and SUPERNOTE_PASSWORD and shows many curl/python calls. The shell script then uses those env vars, contacts the given BASE_URL endpoints, downloads remote content (for article conversion and image embedding), resolves directory trees, and uploads local files. The instructions and scripts therefore access network endpoints, arbitrary web URLs, and local files — all expected for this purpose but broad. The concern is that SKILL.md grants the skill freedom to fetch arbitrary URLs and to read local files specified for upload; it also caches auth tokens on disk. There are no instructions limiting scope or warning about credential handling.
Install Mechanism
This is an instruction-only skill with no installer, so nothing is written to disk by an installer. The runtime includes two scripts shipped in the bundle; no remote download or package install mechanics are present in the registry metadata (lowest install risk).
!
Credentials
The registry metadata declares no required environment variables or primary credential, but SKILL.md and scripts require three sensitive env vars (SUPERNOTE_URL, SUPERNOTE_USER, SUPERNOTE_PASSWORD). That's an inconsistency: the skill runtime will ask for and use credentials despite the registry not advertising them. The skill will send the hashed password to the configured BASE_URL and caches a token in /tmp/.supernote_token (permission 600). This credential access is proportionate to the described functionality, but the metadata omission and on-disk token cache are notable risks and surprising to a user who inspects the registry entry only.
Persistence & Privilege
always is false (not forced into every agent run) and disable-model-invocation is default (agent may call it autonomously). The script writes a token file to /tmp/.supernote_token for session caching — a lightweight persistence that can expose a session token to other local users/processes on the host. The skill does not modify other skills or global agent settings.
What to consider before installing
This skill appears to implement a reasonable Supernote Private Cloud client, but there are two key issues to consider before installing: - Metadata mismatch: The registry entry declares no required environment variables or credentials, but the SKILL.md and scripts require SUPERNOTE_URL, SUPERNOTE_USER, and SUPERNOTE_PASSWORD. Don’t assume the skill is low-privileged — it needs your Supernote credentials and a URL. Only provide those to a trusted self-hosted server. - Token caching and local file access: The CLI caches an auth token in /tmp/.supernote_token (file permission 600) and will read local files you ask it to upload and will fetch arbitrary web URLs to convert into EPUB/PDF. If an attacker or untrusted package controls the configured BASE_URL, your credentials could be sent to that host. Also, the token file in /tmp may be accessible to other local users depending on your system policies. Recommendations: - Verify/inspect the full scripts yourself (you have them). Confirm BASE_URL is a server you control or trust before entering credentials. - Consider creating a dedicated, limited Supernote account for use with this skill rather than using a primary account. - Run the skill in an isolated environment (container or disposable machine) if you’re concerned about token leakage or untrusted network endpoints. - Be cautious when using the article conversion feature: it fetches arbitrary web pages and embedded images (network I/O). If you only need file upload/listing, avoid using article conversion or review the converter's behavior. Confidence: high that the skill is internally inconsistent (metadata vs runtime) and that the scripts will access sensitive credentials and perform network/local-file operations; this warrants a cautious installation approach.

Like a lobster shell, security has layers — review code before you run it.

latestvk97221yrprjf2f89eczz23naxx80354t
1.8kdownloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@nickian
latest
Download

Supernote Private Cloud

Browse, upload, and manage files on a self-hosted Supernote Private Cloud via its reverse-engineered REST API. Includes article-to-ebook conversion for sending web content to the device.

Setup

export SUPERNOTE_URL="http://192.168.50.168:8080"
export SUPERNOTE_USER="your@email.com"
export SUPERNOTE_PASSWORD="your_password"

Python dependencies (for article conversion): readability-lxml, ebooklib, requests, beautifulsoup4, lxml.

Commands

Send a web article to the device

{baseDir}/scripts/supernote.sh send-article --url "https://example.com/article" --format epub --dir-path Document
{baseDir}/scripts/supernote.sh send-article --url "https://example.com/article" --format pdf --dir-path "Document/Articles"
{baseDir}/scripts/supernote.sh send-article --url "https://example.com/article" --title "Custom Title" --dir-path Document

Fetches article content, extracts readable text with images, converts to clean EPUB or PDF, then uploads to the specified folder. Default format: epub. Default folder: Document.

List directory contents

{baseDir}/scripts/supernote.sh ls
{baseDir}/scripts/supernote.sh ls --path Document
{baseDir}/scripts/supernote.sh ls --path "Note/Journal"
{baseDir}/scripts/supernote.sh ls --dir 778507258886619136

Directory tree

{baseDir}/scripts/supernote.sh tree --depth 2

Find directory ID by path

{baseDir}/scripts/supernote.sh find-dir --path "Document/Books"

Upload a file

{baseDir}/scripts/supernote.sh upload --file /path/to/file.pdf --dir-path Document
{baseDir}/scripts/supernote.sh upload --file /path/to/book.epub --dir-path "Document/Books"
{baseDir}/scripts/supernote.sh upload --file /path/to/file.pdf --dir 778507258773372928 --name "Renamed.pdf"

Check storage capacity

{baseDir}/scripts/supernote.sh capacity

Login (manual)

{baseDir}/scripts/supernote.sh login

Default Folders

FolderPurpose
NoteHandwritten notes (.note files)
DocumentPDFs, EPUBs, documents
InboxIncoming files
ExportExported content
ScreenshotScreenshots
MystyleCustom styles/templates

Notes

  • EPUB is recommended for articles — renders cleanly on e-ink with reflowable text
  • The API is reverse-engineered and unofficial — endpoints may change with firmware updates
  • Directory args accept paths (e.g., "Document/Books") or numeric IDs
  • Some sites block scraping — if fetch fails, try a different URL or use a cached/saved page

Comments

Loading comments...