ClawHub

Notelane

Security checks across malware telemetry and agentic risk

Overview

Notelane is a local note-taking CLI, and its plaintext local storage, search, and export behavior are disclosed and fit that purpose.

Install only if you are comfortable with notes being saved and searched as plaintext files under ~/.local/share/notelane. Avoid storing passwords, API keys, confidential client data, or other secrets, and treat export files and terminal output as sensitive because they can contain the full raw note text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly stores notes, history, and exports as plain-text files under a predictable local directory, but it does not warn users that sensitive content may be retained in readable logs and export artifacts. In a note-taking context, users are likely to record personal, business, or secret material, so silent plaintext retention increases the risk of local disclosure through backups, shared accounts, malware, or accidental file sharing.

Ssd 3

Medium
Confidence
88% confidence
Finding
The script persistently stores all user-provided content in plaintext under a predictable path in the user's home directory and later re-displays that content through normal commands. In a note-taking context this is more sensitive than usual because users are likely to enter personal, confidential, or credential-like material, so plaintext retention and broad redisplay increase disclosure risk on shared or compromised systems.

Ssd 3

Medium
Confidence
90% confidence
Finding
The export command aggregates all stored entries across categories into a single output file, making bulk disclosure trivial once the command is run or if the export file is later accessed by another local process or user. The JSON and CSV exports also write raw unescaped content, which can cause malformed output and increase downstream risk if opened in other tools.

Ssd 3

Medium
Confidence
87% confidence
Finding
The search and recent-activity features reveal previously entered raw content directly in terminal output, including history entries copied verbatim from user input. In a personal knowledge-base context, this can expose sensitive notes to shoulder-surfing, terminal logging systems, shell scrollback, or other local disclosure channels.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal