Flomo Notes
PassAudited by ClawScan on May 10, 2026.
Overview
This is a small, purpose-aligned Flomo webhook skill with disclosed credential and setup notes, but no evidence of hidden or malicious behavior.
This skill appears safe for its stated purpose if you want OpenClaw to save selected notes to Flomo. Before installing, configure the webhook as a secret, verify the destination URL, and be aware that the current docs/script should be aligned so the note is passed through stdin or arguments consistently.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the webhook URL is exposed, another person could add notes to the user's Flomo inbox.
The webhook URL is a delegated credential that authorizes posting into the user's Flomo inbox. This is disclosed and necessary for the stated purpose, but it is still a permission boundary the user should protect.
`FLOMO_WEBHOOK_URL` (required) ... Treat the webhook URL like a secret: anyone with it can post into your Flomo inbox.
Store the webhook only in protected per-skill config or environment variables, and rotate it if it appears in logs or shared files.
The note text will leave the local environment and create a Flomo entry at the configured webhook destination.
The script reads note content from stdin and posts it to the configured webhook. This is purpose-aligned, but SKILL.md documents argument-based invocation, so stdin handling should be explicit to avoid failed or unintended sends.
NOTE="$(cat)" ... curl -sS -X POST "$FLOMO_WEBHOOK_URL" ... -d "$JSON_PAYLOAD"
Use the skill only for content the user explicitly wants saved, verify the webhook URL, and update the docs or script so note input is passed consistently.
Installation may appear complete even though the skill will fail until the webhook URL and required local tools are available.
The registry metadata does not declare the webhook credential or runtime binaries, while the included artifacts require FLOMO_WEBHOOK_URL and call curl and python3. This is an under-declared setup requirement, not evidence of hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare FLOMO_WEBHOOK_URL, curl, and python3 in the skill metadata or installation requirements.