为知笔记skills

Security checks across malware telemetry and agentic risk

Overview

This WizNote skill is a disclosed note-sync helper, but users should treat it as read-write access to their private notes and protect credentials carefully.

Install only if you intend to let an agent or scripts access your WizNote account. Use a trusted HTTPS server URL, avoid hardcoding real passwords, consider a dedicated least-privileged account, test listing before writes, and keep mirrored private notes out of shared repositories unless intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The module exposes remote note creation and overwrite primitives even though the declared skill purpose emphasizes reading, mirroring, and organizing notes. In an agent/tooling context, hidden write capabilities expand the action surface and can enable unintended modification or destruction of remote user data if another component imports and calls these functions.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The CLI only advertises note listing, but the module contains undocumented functions that can create and overwrite server-side notes. Undocumented mutation APIs are risky in agent environments because reviewers and users may assume the skill is read-only while imported code can still perform destructive actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to create or update remote notes and mirror them locally, but it does not provide a clear warning that these actions modify remote content and local files. In practice, this can lead to accidental overwrites, propagation of bad data, or unintended synchronization into a repository when users think they are performing a read-only operation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells users to supply and export a password through environment variables or direct parameters without warning about secret-handling risks. This is dangerous because credentials may be exposed through shell history, process inspection, logs, screenshots, or accidental commits, especially in shared or automated environments.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The code sends raw credentials to a configurable base URL without enforcing HTTPS or validating that the destination is trusted. If the base URL is misconfigured or attacker-controlled, credentials can be transmitted to an insecure or malicious endpoint, resulting in account compromise.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal