ClawHub
Back to skill

Security audit

markdownknowledge

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent local Markdown search skill, but it ships private-looking indexed content with exposed API credentials and can install an external binary without clear consent.

Review carefully before installing. Remove the bundled config.json and index.json, rotate the exposed AMap credentials if they belong to you, index only a folder you intentionally choose, keep secrets out of Markdown notes, and install ripgrep yourself from a trusted source instead of relying on the skill's automatic downloader.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet the documented and inferred capabilities include file reads/writes, shell execution, and network access. That mismatch is dangerous because users and the host platform cannot accurately assess or constrain what the skill may do, especially since the skill appears able to modify local files and download software.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior says the skill only performs user-triggered local knowledge-base retrieval, but the analysis indicates additional undeclared behaviors: downloading and installing ripgrep from GitHub, writing an executable into ~/.local/bin, and exposing an undocumented health-check action. Hidden network access and binary installation materially expand the attack surface and break user expectations about a supposedly local, non-intrusive skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest presents the skill as a local Markdown knowledge-base tool with no network requirement, yet the changelog documents automatic ripgrep installation across platforms. That creates a capability mismatch: users and the platform may trust the skill as local-only while init behavior can trigger package-manager or download activity, expanding the attack surface and violating least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatically installing ripgrep gives the skill a software-installation capability that is not inherent to simple knowledge-base indexing. Even if intended for convenience, invoking package managers or downloading binaries can lead to unexpected code execution paths, supply-chain risk, and broader host modification than users expect from a search skill.

Scope Creep

High
Confidence
97% confidence
Finding
The manifest declares that network access is not required, but the documented init behavior implies downloading or installing ripgrep, which typically needs network and package-manager execution. This discrepancy is dangerous because policy engines, reviewers, and users may approve the skill under false assumptions, allowing undeclared external access and host changes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The indexed knowledge base contains plaintext third-party credentials, including an Amap Web service key and private signing key, inside content that a retrieval skill may surface to users or downstream tools. For a skill whose stated purpose is local Markdown knowledge retrieval, exposing live API secrets materially expands its behavior into secret disclosure and creates immediate risk of unauthorized API use, quota exhaustion, and potential abuse tied to the owner's account.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This retrieval corpus includes sensitive credentials unrelated to the minimum functionality needed for a general knowledge search skill. Because retrieval is user-triggered and the index stores summaries and blocks verbatim, an attacker can query for API keys, private keys, or configuration terms and extract secrets without needing filesystem access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README promises automatic context injection and seamless use of local knowledge in AI conversations, while the skill metadata states retrieval should occur only when explicitly triggered by the user. This mismatch can cause operators or downstream agents to implement broader retrieval than intended, increasing the risk of unintended disclosure of local Markdown content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The AI usage guidance instructs the assistant to immediately search the knowledge base whenever the user asks a question, directly contradicting the declared trigger-only behavior. In a skill that indexes local files, unconditional search can silently expand data access and expose private notes or sensitive documents without explicit user intent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a local Markdown knowledge-base integration, but the initialization path can silently download an external binary from GitHub and install it into the user's environment. That creates unexpected network access and executable installation behavior, which materially expands the trust boundary and can expose users to supply-chain compromise or unauthorized system modification.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
A search/indexing skill should not need the ability to fetch and install arbitrary executables without an explicit trust decision by the user. Even if intended for convenience, bundling downloader/installer behavior with a retrieval skill creates an unnecessary execution pathway that could be abused through compromised releases, MITM-adjacent environment issues, or unsafe archive extraction.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation and module header describe the capability as local knowledge-base integration, but init performs network activity to fetch dependencies. This mismatch can mislead users and reviewers about the skill's actual behavior, undermining informed consent and making the hidden installation behavior more dangerous in practice.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase set includes broad patterns such as knowledge-related conversational fragments that may match ordinary dialogue, causing unintended searches and context injection. In a retrieval skill, accidental activation can pull local document snippets into the model context without the user deliberately invoking the tool.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documentation states that any message containing a trigger word may execute a search, which is too permissive for a tool that reads local knowledge and injects snippets into context. This broad matching raises the risk of unintentional disclosure of sensitive local notes during normal conversation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The Chinese trigger phrase is similarly overbroad and can overlap with everyday language, making accidental invocation likely. Because the skill works on local Markdown content, accidental triggering can expose personal or proprietary notes to the model context.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Chinese auto-trigger condition says messages containing trigger words can automatically execute search and inject context. That behavior is dangerous in multilingual chat because common phrasing may unintentionally activate local retrieval and disclose stored knowledge.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Advertising automatic context injection from a local knowledge base without a clear privacy warning is dangerous because users may not realize their local Markdown content can be pulled into model context and responses. This is especially sensitive in a desktop or workstation setting where notes may contain credentials, personal data, or proprietary information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup instructions direct users to index ~/Knowledge without warning that this location may contain personal or sensitive material. In a local knowledge skill, omission of this warning can lead to over-broad ingestion and later disclosure through search results or injected context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code downloads and installs ripgrep automatically when not present, with no explicit confirmation prompt. Silent installation of an external executable violates user expectations for a local search tool and can alter the host environment without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Initialization auto-detects a likely Markdown directory, writes configuration, and immediately builds an index over local content without a prior warning or confirmation. In a knowledge-base skill, indexing local files is expected, but doing so automatically on inferred paths can still expose sensitive documents to processing beyond what the user intended.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The index builder serializes full document content blocks, metadata, filenames, and absolute paths into an on-disk JSON index without any notice or consent mechanism in this file. In a local knowledge-base skill, this materially increases confidentiality risk because sensitive notes are duplicated into a secondary file that may have broader retention, backup, or exposure than the source Markdown files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The incremental update path silently rewrites the persistent index file, again storing document content and metadata without an explicit warning to the user. This is dangerous because it can overwrite prior state while continuously mirroring sensitive local knowledge into a separate artifact, increasing unintended disclosure risk and complicating secure deletion.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal