ClawHub

aidenote-skill

Security checks across malware telemetry and agentic risk

Overview

The note features are coherent, but the skill also installs a persistent remote bridge by executing downloaded scripts and exposing partial credential material, so it needs manual review before installation.

Install only if you specifically need the AiDeNote mobile app to connect to this computer's OpenClaw instance and you trust the SlonAide/AiDeNote installer source. Before using bridge setup, review the installer script, verify how to disable or uninstall the login-start service, and avoid sharing connection-test output because it includes partial credential material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents network access, local config/file reads, and bridge installation behavior, but it does not declare corresponding permissions. This undermines user consent and platform trust because a note assistant can interact with host state and remote services without an explicit permission boundary, increasing the chance of unnoticed sensitive operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest presents the skill as a recording-note assistant, but the documented behavior includes downloading installers, installing a remote bridge, registering autostart, and enabling remote connectivity to the local OpenClaw instance. This mismatch is dangerous because users may consent to a benign-seeming note tool without realizing it can alter the host and expose a remote access path.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Host-level bridge installation and autostart setup go well beyond the expected scope of a note-management assistant. In context, this is more dangerous because it creates a persistent background component and remote communication channel on the user's machine, which materially changes the trust and attack surface.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The description frames the skill as note management, while the actual documented behavior includes installing a remote bridge and persistent startup services. This deceptive or incomplete disclosure increases risk because users and reviewers may not apply the scrutiny appropriate for software that modifies host execution state.

Intent-Code Divergence

Low
Confidence
73% confidence
Finding
The privacy section claims transcript text is limited by default, but the documented detail retrieval suggests full transcript access may be available. For a recording-note product, this inconsistency is security-relevant because users may assume stronger privacy protections than are actually enforced, leading to overexposure of sensitive transcription data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest exposes configuration for downloading and installing remote bridge scripts and tunnel binaries, which materially expands the plugin's capabilities beyond note transcription and search. Even though this file is only metadata, these fields enable later code to fetch and execute remote components, creating a supply-chain and remote code execution risk if the URLs, hosting, or update path are compromised.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The configured macOS shell script URL, Windows PowerShell installer URL, and tunnel binary base URL are unusually powerful for a recording-note assistant and indicate the ability to bootstrap external software on the host. This context mismatch increases risk because users may grant trust based on the benign plugin description while the plugin can facilitate remote installation or tunneling behavior that could be abused for persistence, command execution, or data exfiltration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script enumerates host-local OpenClaw configuration files and also inspects process environment variables for API credentials. While this may be intended as a troubleshooting utility, it accesses sensitive local configuration and secrets outside the core recording/transcription function, increasing the attack surface and normalizing credential discovery behavior that could leak or be repurposed by a broader skill runtime.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This tool adds remote bridge installation and startup behavior that goes beyond a recording/transcription assistant’s expected scope. Expanding a note-taking skill into system-level remote access setup increases attack surface and can normalize privileged operations that users would not reasonably expect from this skill.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The code fetches an installer script from a remote URL and immediately executes it via bash or PowerShell, which is a classic remote code execution pattern. Because the URL can also be overridden from configuration, compromise of the CDN, config, or distribution path would let an attacker run arbitrary code on the host.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code inspects OS-level launch agents, scheduled tasks, and processes to manage a persistent bridge service. In the context of a note assistant, this is unusually powerful behavior that could be abused for persistence, host reconnaissance, or concealment of unauthorized background components.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The connection-test tool unnecessarily includes partial API key and bearer token values in its output. Even masked secrets materially increase exposure by aiding credential identification, correlation across logs/screenshots, and accidental disclosure, and this behavior is not required for a recording-note assistant’s normal function.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to install a remote bridge that will auto-start on login, but it does not clearly disclose the security implications of persistent background software that exposes a remote communication path. Even if legitimate, persistence plus remote connectivity materially increases attack surface and can enable misuse, unauthorized access, or difficult-to-notice compromise if the bridge or its update path is ever abused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README provides direct URLs to platform-specific installer scripts without clearly warning that these are externally hosted scripts which may be downloaded and executed on the user's machine. This pattern is dangerous because remote script execution can lead to full host compromise if the CDN, URL configuration, transport chain, or script contents are tampered with.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The bridge installation instructions do not prominently warn that the process will register autostart services and modify local system state. This is dangerous because users may trigger installation without understanding it creates persistence and background execution on their device.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script prints note metadata and may print portions of sensitive note content, including transcript length and the first 100 characters of the AI summary, directly to stdout. In a recording-notes context, summaries can easily contain private meeting content, personal data, or confidential business information, so exposing them without warning or redaction creates a real confidentiality risk, especially in shared terminals, CI logs, or screen recordings.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tool proceeds from a user-invoked setup action directly into downloading and running an installer without presenting a clear warning about system modification, persistence, or the remote script source. That lack of informed confirmation increases the chance users will authorize risky actions they do not understand.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API key is injected into the subprocess environment for the downloaded installer, exposing a sensitive credential to externally sourced code. If the installer is malicious or compromised, it can exfiltrate the key and use it to access backend services or relay infrastructure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The test-connection output reveals portions of both the API key and the live bearer token to the caller without necessity or warning. Because tokens grant authenticated API access, even partial exposure can leak sensitive credential material into chat history, logs, telemetry, or screenshots and meaningfully raises the chance of compromise.

Session Persistence

Medium
Category
Rogue Agent
Content
> tunnel disconnected: auth rejected: invalid token
> ```
>
> **解决方法:** 编辑 `~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist`,
> 删除 `--token-endpoint` 及其后面的 URL 参数行,然后重启服务:
> ```bash
> launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
Confidence
92% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
> **解决方法:** 编辑 `~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist`,
> 删除 `--token-endpoint` 及其后面的 URL 参数行,然后重启服务:
> ```bash
> launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> ```
Confidence
92% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
> 删除 `--token-endpoint` 及其后面的 URL 参数行,然后重启服务:
> ```bash
> launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> ```

### 6. 检查 bridge 状态
Confidence
92% confidence
Finding
plist

Unpinned Dependencies

Low
Category
Supply Chain
Content
"audio-notes"
  ],
  "dependencies": {
    "axios": "^1.6.0"
  }
}
Confidence
90% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
axios==1.6.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal