Is fancygobot/flowmind safe?
https://github.com/openclaw/skills/tree/main/skills/fancygobot/flowmind
The flowmind skill is a clean REST API integration for the flowmind.life productivity SaaS platform, consisting solely of three documentation files with no executable code, no prompt injection, and no unauthorized data access. Credential file reads observed in the monitoring logs are attributable to the oathe audit infrastructure's canary baseline checks, not to the skill, as confirmed by intact canary hashes. The primary risk is the expected and disclosed transmission of user productivity and contact PII to a third-party service.
Category Scores
Findings (4)
LOW PII routed to third-party SaaS -14 ▶
The /people endpoint stores rich personal contact information including email, phone, company, role, location, latitude/longitude, birth month/day, MBTI type, and zodiac sign. All data is transmitted to and stored on flowmind.life servers. While this is the skill's stated purpose, users and administrators should evaluate flowmind.life's data handling and privacy posture before enabling this skill in environments with sensitive contact data.
INFO All productivity data transmitted to flowmind.life 0 ▶
Goals, tasks, subtasks, notes, and tags are all persisted exclusively on the external flowmind.life service. The agent will need FLOWMIND_API_KEY in its environment, creating a credential management dependency.
INFO Install sourced from expected monorepo path 0 ▶
The skill was cloned from the canonical openclaw/skills.git repository using sparse-checkout targeting the correct subpath. No unexpected network destinations were contacted during install.
INFO Skill is pure documentation — no executable surface 0 ▶
All three files are static markdown or JSON. No package.json scripts, no git hooks, no binary blobs, no shell scripts. Zero code execution risk from the skill files themselves.