Skills
skills/undertone0809/flomo-skills/flomo-local-api/Gen Agent Trust Hub

flomo-local-api

Warn

Audited by Gen Agent Trust Hub on Apr 11, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The script scripts/flomo_local_api.py contains a hardcoded authentication secret (API_SECRET = "dbbc3dd73364b4084c3a69346e0ce2b2"). Additionally, it implements a mechanism to harvest an access_token by reading raw data files from the Flomo desktop app's internal storage at ~/Library/Containers/com.flomoapp.m/Data/Library/Application Support/flomo/Local Storage/leveldb.
  • [COMMAND_EXECUTION]: The skill relies on shell command execution to run Python scripts that perform network operations, file system reads, and file system writes.
  • [DATA_EXFILTRATION]: The skill accesses personal memo data from the Flomo API and can exfiltrate this information to the local filesystem by writing it to the ~/download/ directory during the export-monthly command.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from the Flomo API.
  • Ingestion points: Memo content and tag data are fetched from flomoapp.com in scripts/flomo_local_api.py via api_get calls.
  • Boundary markers: The skill lacks explicit delimiters or instructions to the agent to treat fetched memo content as untrusted data.
  • Capability inventory: The skill possesses network read/write capabilities (api_get/api_put) and local file write capabilities (Path.write_text).
  • Sanitization: No sanitization or validation is performed on the fetched content to prevent embedded instructions from influencing agent behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 11, 2026, 10:59 PM