Is giraffe-tree/flomo-add safe?

https://github.com/openclaw/skills/tree/main/skills/giraffe-tree/flomo-add

75
CAUTION

This skill provides legitimate functionality to add notes to the flomo service but creates data exfiltration risks by sending user content to external webhook URLs without validation. While the functionality is as intended, the configurable webhook mechanism could be abused for unauthorized data collection.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (4)

HIGH Unvalidated External Data Transmission -35

The skill sends arbitrary user content to external webhook URLs without domain validation. The webhook URL is read from a user-configurable .flomo.config file, creating a pathway for data exfiltration if a malicious URL is configured.

MEDIUM Webhook Abuse Potential -25

While the skill provides legitimate functionality for flomo note-taking, the webhook mechanism could be abused by attackers who control the configuration file to exfiltrate sensitive information from user inputs.

LOW Configuration File Access -10

The skill reads configuration files that may contain sensitive webhook URLs, though this is part of normal operation.

LOW Executable Python Script -10

The skill contains executable Python code, though the code appears benign and uses only standard library functions.