usememos-api Security Report — Trusted | ClawSafe

0 /100

usememos-api

Interact with UseMemos instance — create, search, list memos and upload attachments

UseMemos API skill is a straightforward, legitimate self-hosted memo service client with no malicious behavior detected.

Skill Nameusememos-api

Duration38.2s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Resource	Declared	Inferred	Status	Evidence
Environment	`READ`	`READ`	✓ Aligned	SKILL.md declares USEMEMOS_URL and USEMEMOS_TOKEN; load_env.py reads from .env
Network	`READ`	`READ`	✓ Aligned	All scripts make HTTP requests to USEMEMOS_URL only
Filesystem	`READ`	`READ`	✓ Aligned	Only reads files for upload (upload_attachment.py line 31)
Shell	`NONE`	`NONE`	—	No subprocess calls in production scripts
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation

4 findings

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:3

🔗

Medium External URL 外部 URL

https://usememos.com

README.md:3

🔗

Medium External URL 外部 URL

http://192.168.0.157:5230

SKILL.md:25

🔗

Medium External URL 外部 URL

https://your-memos-instance.com/api/v1

references/api.md:3

File Tree

12 files · 39.9 KB · 1365 lines

Python 8f · 876L Markdown 4f · 489L

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 200L · 3.0 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 create_memo.py Python 57L · 1.5 KB

│ ├─ 🐍 list_memos.py Python 68L · 1.9 KB

│ ├─ 🐍 load_env.py Python 26L · 805 B

│ ├─ 🐍 memo_comments.py Python 135L · 4.4 KB

│ ├─ 🐍 search_memos.py Python 67L · 1.9 KB

│ ├─ 🐍 upload_and_link_attachment.py Python 119L · 3.7 KB

│ └─ 🐍 upload_attachment.py Python 68L · 2.0 KB

├─ ▾ 📁 tests

│ └─ 🐍 test_image_upload.py Python 336L · 12.4 KB

├─ 📝 CHANGELOG.md Markdown 35L · 1.2 KB

├─ 📝 README.md Markdown 170L · 4.1 KB

└─ 📝 SKILL.md Markdown 84L · 2.9 KB

Security Positives

✓ Uses only Python standard library (urllib.request, json, os, sys, base64) - no external dependencies

✓ Credentials (USEMEMOS_TOKEN) are only used for Bearer authentication to the configured self-hosted instance

✓ No credential harvesting or exfiltration detected

✓ No shell execution in main production scripts (subprocess only in tests for testing purposes)

✓ No base64-decoded shell execution, no obfuscated code, no hidden instructions

✓ All network requests target the user-configured USEMEMOS_URL only

✓ File access is limited to reading files explicitly passed as arguments for upload

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ Input sanitization present (query escaping in search_memos.py)

Scan Report

File Tree

Security Positives