ClawHub

Yiliu

Security checks across malware telemetry and agentic risk

Overview

This note-taking skill appears legitimate, but its broad activation rules and automatic AI processing can expose or store notes more broadly than users may expect.

Install only if you are comfortable with this skill storing your notes locally and, when OPENAI_API_KEY is configured, sending note text and search queries to the configured AI endpoint. Use explicit Yiliu commands to avoid accidental capture, avoid putting highly sensitive material in it unless you accept the storage and AI-processing model, and be careful with delete/export commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list contains many generic single-word activators such as '记', '搜', '找', '编辑', and '修改' that commonly appear in ordinary conversation. This creates a prompt-squatting risk where the skill may activate unintentionally during unrelated user requests, causing it to intercept context, override more appropriate skills, or expose note-management actions when the user did not explicitly intend to use this tool.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The use condition states only that the skill should be used when the user wants to record notes, search content, view history, or export data, but it does not clearly define boundaries or require explicit invocation of this specific skill. Combined with the broad triggers, this ambiguity increases the chance of accidental activation and unintended access to note-taking or data-export functionality in contexts where another skill or no skill should handle the request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends user note content, search queries, and related text to remote OpenAI endpoints for embeddings and chat completions, but there is no visible consent gate, privacy disclosure, or data-classification check before transmission. In a note-taking knowledge base, content may include highly sensitive personal or business information, so silent exfiltration to a third-party AI provider creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Note content is transmitted to AI embedding and enhancement functions whenever AI is available, with no visible consent gate, sensitivity check, or disclosure at this layer. In a note-taking product, notes may contain highly sensitive personal or business data, so silent forwarding to external AI services can create a privacy and compliance exposure.

Missing User Warnings

Low
Confidence
85% confidence
Finding
Semantic search sends the user's query text to embedding generation without any visible warning or consent check. Search queries can contain sensitive information, and transmitting them to an external provider may disclose user intent or private data even if the impact is typically narrower than sending full note bodies.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The module persists full note content alongside embeddings to a local JSON file without any evident consent flow, minimization, encryption, or retention controls. In a note-taking knowledge-base context, notes can contain sensitive personal or business information, so silent local persistence increases privacy and data-exposure risk if the host is shared, backed up insecurely, or later compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal