flomo-sync 安全扫描报告 — 可信 | ClawSafe

5 /100

flomo-sync

快速同步内容到flomo笔记，支持自动标签识别、内容格式化

A legitimate flomo note synchronization tool that reads a user-provided webhook URL from ~/.flomo_token and POSTs content to the flomo API. No malicious behavior detected.

技能名称flomo-sync

分析耗时27.7s

引擎pi

✓

可以安装

This skill is safe to use. The shell execution and network access are declared and necessary for the webhook-based sync functionality.

安全发现 1 项

严重性	安全发现	位置
低危	No dependency version pinning The skill relies on system tools (curl, jq) that are assumed to be installed. No requirements.txt or equivalent for pinning versions. `#!/bin/bash` → Document curl and jq as prerequisites. Consider checking minimum version requirements.	`scripts/flomo.sh:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	scripts/flomo.sh:15 reads ~/.flomo_token
网络访问	`WRITE`	`WRITE`	✓ 一致	scripts/flomo.sh:27 POSTs JSON to webhook URL
命令执行	`WRITE`	`WRITE`	✓ 一致	scripts/flomo.sh uses curl/jq for API calls

目录结构

2 文件 · 1.5 KB · 49 行

Shell 1f · 32L Markdown 1f · 17L

├─ ▾ 📁 scripts

│ └─ 🔧 flomo.sh Shell 32L · 842 B

└─ 📝 SKILL.md Markdown 17L · 681 B

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`curl`	`system`	system binary	否	Required system tool
`jq`	`system`	system binary	否	Required system tool

安全亮点

✓ No credential exfiltration - webhook URL is used only for intended API calls

✓ No base64/encoded payloads piped to shell

✓ No access to sensitive paths like ~/.ssh or ~/.aws credentials

✓ No reverse shells, C2 communication, or data theft patterns

✓ All functionality declared in SKILL.md matches implementation

✓ Weblogic is transparent - reads from user-provided file and posts to user-provided webhook

✓ No hidden instructions in comments or documentation

✓ Standard API integration pattern for webhook-based services