Scan Report
0 /100
content-clipper
Extract, summarize, and clip web content to flomo or local markdown
content-clipper is a legitimate web content extraction and note-clipping tool with no malicious behavior detected; all capabilities are declared and consistent with documented behavior.
Safe to install
Approve for use. The skill is safe and performs only declared web content fetching and posting to the flomo webhook or local markdown files.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | scripts/clip.js:42-49 — uses https.get/http.get to fetch URLs |
| Network | WRITE | WRITE | ✓ Aligned | scripts/clip.js:91-104 — POSTs content to flomo webhook; scripts/clip.js:97 — ex… |
| Filesystem | WRITE | WRITE | ✓ Aligned | scripts/clip.js:107 — fs.writeFileSync for markdown output |
| Shell | WRITE | WRITE | ✓ Aligned | scripts/clip.js:97 — execSync runs curl.exe for Windows proxy bypass; declared i… |
| Environment | READ | READ | ✓ Aligned | scripts/clip.js:14 — reads FLOMO_WEBHOOK env var |
| Skill Invoke | NONE | NONE | — | No skill_invoke usage found |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
1 findings
Medium External URL 外部 URL
https://flomoapp.com/iwh/MTg4MTA/c6fceb66258d3cc5c527d82f283ba06a/ SKILL.md:26 File Tree
3 files · 7.3 KB · 191 lines JavaScript 1f · 148L
Markdown 1f · 31L
JSON 1f · 12L
├─
▾
scripts
│ └─
clip.js
JavaScript
├─
package.json
JSON
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
none (uses built-in modules only) | N/A | nodejs | No | Uses only https, http, fs, child_process — no external npm packages |
Security Positives
✓ All declared capabilities (network:READ/WRITE, filesystem:WRITE, shell:WRITE) match actual code behavior
✓ SKILL.md documents the Windows curl.exe proxy bypass explicitly in the Notes section
✓ Hardcoded flomo webhook URL points to a legitimate note-taking service (flomoapp.com), not an exfiltration endpoint
✓ Uses only built-in Node.js modules with zero external dependencies — no supply chain risk
✓ No credential harvesting: only reads FLOMO_WEBHOOK (a webhook URL, not a secret token)
✓ No obfuscation, base64 payloads, eval(), or anti-analysis techniques
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)
✓ Content is only sent to the user-specified or configured flomo webhook — no secondary exfiltration channels
✓ Graceful fallback from curl to native Node.js https ensures reliability without introducing new attack surface