flomo-local-api

Best report choice: Report 3 (most complete and consistent). Improved assessment: This module is primarily a Flomo memo automation CLI, but it contains two high-sensitivity supply-chain/security red flags: (a) it harvests a local Flomo access token by scanning the user’s LevelDB/App storage, and (b) it embeds a hardcoded API secret used for request signing (MD5-based). Network activity appears constrained to flomoapp.com/api/v1, and there are no obvious classic malware behaviors in this snippet (no exec/subprocess/backdoor/external-domain exfiltration). However, the token harvesting + embedded secret combination makes it risky to distribute or include as a dependency without explicit user trust and security review.