Joplin
v0.1.1Manage Joplin notes via Server API - create, read, edit, search notes, notebooks, todos, and kanban boards
⭐ 0· 195·0 current·0 all-time
bySlava Boiko@slavaboiko
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (node), declared config path (~/.joplin-server-config), included JS client (scripts/joplin-server-api.js), and SKILL.md commands all align: the skill needs to run a bundled Node script against a user-provided Joplin Server URL and authenticate with an email/password. Nothing requested appears unrelated to the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to run bash commands and the bundled node script for all operations (ping, login, list-notes, add-note, etc). It also instructs retrieving secrets from 1Password (via op read) or creating a local config file. This is within scope for a client, but it gives the skill runtime access to the user's home directory (reads/writes ~/.joplin-server-config and ~/.joplin-session) and to any 1Password items the user allows — the agent will be executing those commands directly, so the user should be comfortable with that level of local access.
Install Mechanism
There is no install spec; this is instruction + bundled code executed by node. No network downloads or external installers are performed by the skill itself. The README suggests an optional git clone, but the packaged skill already contains the JS client. No suspicious install URLs or archive extraction are present.
Credentials
The skill does not request unrelated environment variables; it reads JOPLIN_* from environment or ~/.joplin-server-config. It optionally uses the op CLI to pull secrets from 1Password. However, it will store the Joplin password in plaintext in ~/.joplin-server-config (and maintains a session file ~/.joplin-session). These behaviors are proportional for a password-based client but are sensitive — users should be aware credentials are written locally and can choose to manage them differently (e.g., use a dedicated account, limit permissions, or remove the file after use).
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It will create/modify two files under the user's home directory (~/.joplin-server-config and ~/.joplin-session), and may persist cookies/session info there. This is normal for a client but is persistent filesystem access and should be considered by the user.
Assessment
This skill appears to do what it says: it runs a bundled Node client to talk to a Joplin Server URL you provide. Before installing, confirm you trust the skill source (the source is listed as unknown in the registry). Understand the practical implications: the agent will execute Bash/node commands, will read and write ~/.joplin-server-config (which will contain your JOPLIN_PASSWORD in plaintext) and ~/.joplin-session (session cookies). If you opt to use 1Password, the skill uses the op CLI to read the specified vault/item and will write those credentials into the local config file. Recommended precautions: review the included scripts/joplin-server-api.js yourself (it’s bundled) to confirm no unexpected endpoints; use a dedicated or limited-permission account for the Joplin Server if possible; do not enable JOPLIN_SKIP_TLS_VERIFY unless absolutely necessary; and remove or rotate credentials after use if you are concerned about storing plaintext passwords locally.Like a lobster shell, security has layers — review code before you run it.
latestvk978wnextpp3aen2f92wj9zn3583cz9j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📓 Clawdis
Binsnode
Config~/.joplin-server-config