Back to skill

Security audit

Quicknote

Security checks across malware telemetry and agentic risk

Overview

QuickNote is a local note-taking script with expected plaintext local storage and export behavior, with no evidence of network sharing, credential use, hidden automation, or destructive implemented actions.

Install only if you are comfortable with notes being stored locally in plaintext under ~/.local/share/quicknote. Avoid putting passwords, tokens, or confidential material in it, and treat exports as copies of your notes that may be easier to sync, share, or leave behind. Also verify the available commands after installation because the documentation and script do not fully match.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises destructive and bulk-output actions (`delete` and `export`) without any warning, confirmation, or stated safeguards. In an agentic context, this increases the risk of unintended data loss or accidental mass disclosure of local notes if the commands are invoked loosely or inferred from user intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically persists all user-provided content under ~/.local/share/quicknote and appends activity to history.log without a clear upfront notice or consent flow. In a note-taking context, users may enter sensitive personal or work data, and silent disk persistence increases the risk of unintended local disclosure through backups, shared accounts, or later export/access by other local processes running as the same user.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The export command creates new aggregate files containing all note contents in json/csv/txt formats without warning that sensitive data will be duplicated into additional files. This broadens the exposure surface because exported files may be easier to copy, sync, index, or mishandle than the original logs, especially in a tool intended for quick capture of potentially sensitive notes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.