Back to skill

Security audit

Siyuan Note Cli

Security checks across malware telemetry and agentic risk

Overview

The skill’s SiYuan note access is mostly coherent, but it gives agents broad local-note authority and automatically reads a persistent guide note that could influence future behavior.

Install only if you intentionally want an agent to access and modify your local SiYuan workspace. Keep the API token private, review any "AI Assistant Guide" note before use, avoid storing adversarial or sensitive instructions there, and prefer read-only/query-limited workflows unless you explicitly want writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The reference exposes a generic `query` command that appears capable of executing arbitrary SQL while only stating in prose that SQL 'should be used for reads only.' In a skill that instructs an agent to operate on a live local SiYuan instance, this creates a real risk that an LLM or user could issue destructive write statements, causing note, block, or database corruption.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is broad enough to activate on common note-taking, reference, and knowledge-base requests, which can cause the agent to invoke a powerful local-data skill in situations where the user did not clearly intend SiYuan access. Because the skill can read and modify local notes and databases, over-triggering increases the chance of unnecessary access to sensitive personal data and unintended writes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The authentication example includes a raw `--token <token>` argument without warning about credential sensitivity, which can normalize unsafe handling of secrets. In CLI contexts, passing secrets on the command line may expose them through shell history, process listings, logs, screenshots, or copied transcripts, increasing the chance of token compromise and unauthorized access to the user's notes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The workflow states that every task triggering this skill should first search for and read an "AI Assistant Guide," but the skill metadata already says to use this skill broadly whenever users want to query, create, or modify SiYuan notes. That creates an expansive trigger surface where note content can influence subsequent behavior, increasing the chance of prompt-injection style instruction following from untrusted notes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow recommends writing sensitive task content to a predictable fixed path in the system temp directory and overwriting it on each run, without a warning to the user. A fixed temp filename can expose note contents to other local processes or users, cause accidental clobbering of unrelated data, and create race/symlink risks on multi-user or less trusted systems.

Session Persistence

Medium
Category
Rogue Agent
Content
name: siyuan-note-cli
description: |
  Connect to and operate SiYuan Note through the siyuan-note-cli command-line tool, using notes as context for AI tasks.
  Use when the user asks to query, create, or modify SiYuan notes; read guides or knowledge bases from notes; manage notebooks, documents, blocks, or databases; write task results to SiYuan; or reference SiYuan notes during other work.
  After this skill is triggered, first read the note named "AI Assistant Guide" before performing the specific operation.
  Requires the local SiYuan Note client to be running and an API token to be configured.
---
Confidence
93% confidence
Finding
write task results to SiYuan; or reference SiYuan notes during other work. After this skill is triggered, first read the note named "AI Assistant Guide" before performing the specific operation. R

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
references/commands.md:13

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:53