ClawHub

SlonAide

Security checks across malware telemetry and agentic risk

Overview

The note features are legitimate, but the optional remote bridge can run downloaded installer scripts, create login persistence, and expose credentials, so it needs careful review before installation.

Install only if you need AiDeNote mobile remote access to your local OpenClaw instance and trust SlonAide's API/CDN and installer scripts. Avoid running the bridge setup on sensitive machines unless you can inspect or verify the installer, understand the login auto-start service it creates, know how to remove it, and are comfortable giving it access to your SlonAide API key and local OpenClaw connection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation describes capabilities that require network access, reading local configuration, and likely environment access, yet no permissions are declared. This weakens transparency and consent, making it easier for a user to install a skill that performs broader actions than expected, especially given the bridge-installation behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is note management, but the skill also installs a remote bridge, downloads remote installer scripts, modifies startup behavior, and enables remote access from a mobile app to the local OpenClaw instance. This is a significant expansion of trust boundary and attack surface that users may not reasonably expect from a transcription/search assistant.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
OS-level bridge installation and persistence are not necessary for ordinary note retrieval or transcription viewing. Embedding these capabilities in the same skill increases risk because it grants system-modifying behavior to a tool whose core purpose is content management.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Writing local configuration and registering login auto-start services gives the skill persistence on the host, which is a powerful capability unrelated to basic note assistance. If the downloaded bridge or its configuration is compromised, the persistence mechanism ensures recurring execution and ongoing exposure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill extends beyond note management into remote connectivity for the user's local OpenClaw instance. That contextual mismatch matters because users may approve the skill for note access without realizing it also creates a path for external app-driven interaction with a local service.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file adds tooling to install and start a remote tunnel/bridge service, which is materially outside the stated scope of a recording/transcription/note assistant. Expanding a note-taking skill into remote host connectivity increases attack surface and can enable unauthorized remote access pathways or persistence features that users would not reasonably expect from the manifest.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The code downloads a shell/PowerShell installer from a remote URL, writes it to disk, and executes it via bash or PowerShell. This is a classic remote code execution pattern: if the CDN, DNS, TLS trust chain, configuration override, or upstream script is compromised, arbitrary code will run on the user's machine.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The bridge status logic checks Scheduled Tasks, running processes, and launchd services for a tunnel component, indicating OS-level service management and persistence awareness unrelated to note management. In context, this supports a remote bridge capability that could be used to maintain access or conceal persistence behavior from users who did not expect system service manipulation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The connection test tool includes credential-derived secrets in user-visible output by printing a masked API key and a token prefix. Even partial secrets should not be displayed in normal tool responses because they can be logged, copied into chat history, exposed to other agents/plugins, or combined with other leaked material to aid credential theft or session abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to install a remote bridge that auto-starts on login, but does not clearly disclose that this creates a persistent local service and network-facing integration path between the local machine and the AiDeNote/OpenClaw ecosystem. Users may enable it without understanding persistence, connectivity, trust boundaries, or how to remove/disable it, which increases the risk of unintended exposure or abuse if the bridge or installer is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes AI transcription, summarization, and semantic search but does not clearly warn that note audio, transcripts, and derived content may be transmitted to external services for processing. Because recordings and notes often contain sensitive personal, business, or regulated data, omission of this disclosure can cause users to expose confidential information without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bridge setup changes startup behavior by registering an auto-start service, but the quick-start flow does not prominently warn users that persistence will be added to their system. Hidden or downplayed persistence undermines informed consent and increases the chance of unwanted long-term execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script embeds the API key directly into the request URL path when calling the remote token endpoint. Secrets placed in URLs are commonly captured by logs, proxies, browser/history tooling, and monitoring systems, which increases credential exposure risk beyond the intended recipient. The testing context makes this more dangerous because users may run it casually and not realize their credential is being sent off-host in a high-leakage channel.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
After authentication, the script automatically retrieves note listings and note details, then prints note titles, IDs, transcript length, and summary excerpts to stdout without an explicit consent warning. This can expose potentially sensitive user data in terminal scrollback, shell logs, screen shares, CI logs, or other captured output. In a note/transcript product, the surrounding skill context increases sensitivity because recordings and AI summaries often contain personal or confidential information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer is fetched and executed without any user-facing warning, confirmation, or trust prompt in this file. Even if the upstream script is legitimate today, silent installation of software from the network removes informed consent and makes social engineering or supply-chain compromise substantially more dangerous.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API key is passed into the installer subprocess environment, disclosing a sensitive credential to externally sourced installation logic. Any installer script or spawned child process can read, log, exfiltrate, or persist that key, and the user is not informed that their credential is being handed to downloaded code.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The connection-test response explicitly reveals part of the API key and part of the bearer token without warning or operational need. Because tool outputs are often stored in logs and conversation history, this creates avoidable credential exposure and increases the chance of unauthorized reuse or targeted secret harvesting.

Session Persistence

Medium
Category
Rogue Agent
Content
> tunnel disconnected: auth rejected: invalid token
> ```
>
> **解决方法:** 编辑 `~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist`,
> 删除 `--token-endpoint` 及其后面的 URL 参数行,然后重启服务:
> ```bash
> launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
Confidence
94% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
> **解决方法:** 编辑 `~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist`,
> 删除 `--token-endpoint` 及其后面的 URL 参数行,然后重启服务:
> ```bash
> launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> ```
Confidence
94% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
> 删除 `--token-endpoint` 及其后面的 URL 参数行,然后重启服务:
> ```bash
> launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/cn.aidenote.openclaw-tunnel.plist
> ```

### 6. 检查 bridge 状态
Confidence
94% confidence
Finding
plist

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal