Skillv1.0.0

ClawScan security

flomo-crud-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 7:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested actions match its stated goal (web UI CRUD via Chrome MCP), but its runtime instructions include powerful in-page JavaScript/Vue instance calls and a README request to report install/config paths — behaviors that are coherent for automation but broaden the data-access surface and merit caution.
Guidance: This skill is internally consistent with its goal (automating flomo via Chrome MCP) but includes instructions that execute JavaScript inside your logged-in browser and call framework internals (.__vue__ and component methods). Those actions are powerful and could access or modify anything available in that browser session. Before installing or running it: - Only use it with a browser profile you control and that does not contain other sensitive, unrelated sessions. Prefer a disposable or dedicated browser profile for this skill. - Inspect and control the MCP bridge implementation you run (hangwin/mcp-chrome or chrome-mcp-server); run those packages from trusted sources and review their code if possible. - Do not blindly copy the README install sentence to third-party agents: it requests that you 'report installation path and config file path' back to the author — avoid sending local filesystem paths or diagnostics to unknown remote actors. - Prefer interactive (user-in-the-loop) use for destructive actions and keep automatic deletion disabled unless you fully trust the skill and environment. - If you need only read/search functionality, restrict the agent to query-only runs (avoid granting edit/delete permissions) and test read operations first. If you want higher assurance, request the concrete MCP commands the skill will run in your environment, or ask the author for a minimal, read-only mode that forbids executing component fallbacks (.__vue__/Memo.*) and only uses safe DOM reads/clicks.

Review Dimensions

Purpose & Capability: noteName/description (flomo Web CRUD via Chrome MCP) align with the instructions: the skill automates the flomo web UI and needs page reads/clicks and, in practice, in-page JS to reliably edit/delete. Asking to interact with the page DOM and extract memo_id from hrefs is coherent with the purpose. However, using internal Vue instance access (.__vue__) and calling component methods (e.g., onSubmit(), Memo.removeMemo(memo)) is a higher-privilege technique than simple DOM clicks — it's plausible for robustness but expands capabilities beyond ordinary UI automation.
Instruction Scope: concernSKILL.md and reference docs instruct the agent to execute JS inside the page and call framework internals (document.querySelector(...).__vue__, Memo.changeToEditMode(), Memo.removeMemo(memo)). Those instructions give the agent the ability to run arbitrary code in the user's logged-in browser context and access any data available there. The README also contains an installation sentence that asks the installer to 'report the installation path, configuration file path and validation results' back to the author — this would cause the agent to reveal local paths/validation output if followed. While these steps are explainable for robust automation, they materially increase the risk of reading or manipulating data beyond the stated memo CRUD scope.
Install Mechanism: okNo install spec or binary downloads are included in the skill bundle (instruction-only). That reduces supply-chain risk. The README suggests using external projects (hangwin/mcp-chrome and chrome-mcp-server) but does not embed or fetch code directly.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths in its manifest. That is proportionate to a browser-automation-only skill. Caveat: the README's suggested installation step asks to report installation and config paths, which would expose local information if followed — this is not declared in the skill's manifest and therefore deserves caution.
Persistence & Privilege: noteThe skill is not always-enabled and does not request special platform privileges. Autonomous invocation is allowed (platform default). Because the instructions run code in a logged-in browser session, an autonomously-invoked agent could perform actions within that session; combine that with the ability to execute in-page JS and the effective blast radius increases. The skill's own safety docs forbid persisting memo bodies, but that is a policy not a technical enforcement.