Scan Report
5 /100
flomo-sync
快速同步内容到flomo笔记,支持自动标签识别、内容格式化
A legitimate flomo note synchronization tool that reads a user-provided webhook URL from ~/.flomo_token and POSTs content to the flomo API. No malicious behavior detected.
Safe to install
This skill is safe to use. The shell execution and network access are declared and necessary for the webhook-based sync functionality.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | No dependency version pinning | scripts/flomo.sh:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | scripts/flomo.sh:15 reads ~/.flomo_token |
| Network | WRITE | WRITE | ✓ Aligned | scripts/flomo.sh:27 POSTs JSON to webhook URL |
| Shell | WRITE | WRITE | ✓ Aligned | scripts/flomo.sh uses curl/jq for API calls |
File Tree
2 files · 1.5 KB · 49 lines Shell 1f · 32L
Markdown 1f · 17L
├─
▾
scripts
│ └─
flomo.sh
Shell
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
curl | system | system binary | No | Required system tool |
jq | system | system binary | No | Required system tool |
Security Positives
✓ No credential exfiltration - webhook URL is used only for intended API calls
✓ No base64/encoded payloads piped to shell
✓ No access to sensitive paths like ~/.ssh or ~/.aws credentials
✓ No reverse shells, C2 communication, or data theft patterns
✓ All functionality declared in SKILL.md matches implementation
✓ Weblogic is transparent - reads from user-provided file and posts to user-provided webhook
✓ No hidden instructions in comments or documentation
✓ Standard API integration pattern for webhook-based services