ClawHub

Obsidian知识库集成

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Obsidian knowledge-base helper, but it sends and writes note data to a hardcoded plaintext internal service with weak user control.

Install only if you intentionally want this agent to use that specific Obsidian knowledge-base service and you trust the network and server. Avoid storing secrets, credentials, regulated data, or private operational notes until the endpoint is configurable, authenticated, encrypted, and scoped to an approved vault or folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module documentation presents the skill as a generic Obsidian knowledge-base integration, but save_experience silently injects fixed host and agent identity metadata into created notes. This can leak internal infrastructure details and create deceptive or unexpected attribution in stored content, especially when users believe only their supplied note content is being saved.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The README publishes an internal network API endpoint and describes semantic-search service usage without any privacy, authentication, or transport-security guidance. In this context, users may send potentially sensitive note content to a remote service over plain HTTP, increasing the risk of unintended data exposure on local networks or through misconfiguration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill provides direct write and index-rebuild operations against a shared knowledge base without any warning, confirmation step, or access-control guidance. In a multi-agent environment, this can lead to unintended data modification, corruption, or propagation of misleading content across other agents that rely on the shared store.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly states that the knowledge base is fully shared and that cross-host querying is unrestricted, but provides no privacy, confidentiality, or data-classification warning. This increases the risk that sensitive operational notes, internal host details, or other agents' data will be queried or stored without appropriate consent or controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client sends note titles, contents, filenames, and search queries over plain HTTP to a hardcoded private-network endpoint, with no transport encryption and no user warning or consent. This can expose potentially sensitive knowledge-base data to interception, unintended local-network services, or silent exfiltration if the host is reachable in a broader environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs unauthenticated HTTP requests to a private internal IP and prints portions of the returned data, but it gives the user no explicit notice that running it will initiate network access and retrieve potentially sensitive service metadata. In an agent-skill context, hidden network activity against internal services is risky because it can expose internal topology, service status, note metadata, or other non-public information without informed user consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The test suite performs a state-changing write by creating a note on the target API, but it does not provide a clear user-facing warning, confirmation step, or opt-in guard before doing so. In a skill or automated-agent context, this can lead to unintended data creation, pollution of a knowledge base, or writes against a production-like service without operator awareness.

External Transmission

Medium
Category
Data Exfiltration
Content
if folder:
                data["folder"] = folder
            
            response = requests.post(f"{self.base_url}/note", 
                                   json=data, 
                                   headers={"Content-Type": "application/json"})
            response.raise_for_status()
Confidence
94% confidence
Finding
requests.post(f"{self.base_url}/note", json=

External Transmission

Medium
Category
Data Exfiltration
Content
"""语义搜索笔记"""
        try:
            data = {"query": query, "limit": limit}
            response = requests.post(f"{self.base_url}/search", 
                                   json=data, 
                                   headers={"Content-Type": "application/json"})
            response.raise_for_status()
Confidence
92% confidence
Finding
requests.post(f"{self.base_url}/search", json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal