Back to skill

Security audit

Siyuan Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real SiYuan Notes CLI, but its broad note access and vector-indexing features need review because some powerful actions are under-scoped or weakly guarded.

Install only after reviewing the scope carefully. Use a least-privilege SiYuan token if possible, prefer whitelist permission mode, keep Qdrant and Ollama on trusted local infrastructure, avoid indexing sensitive notebooks, and do not rely on the documented SQL-injection or permanent-protection guarantees until those issues are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The top-level description frames the skill as a note-management CLI, but the document also exposes optional indexing to Qdrant, calls to Ollama/embedding endpoints, and NLP processing. That mismatch can cause operators or agents to invoke the skill without realizing note contents may be transmitted to additional services, increasing data exposure risk for sensitive notes.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
This is a real authorization flaw. In the `path` branch, the code resolves and creates intermediate documents/directories and the final document via `skill.documentManager.createDocument(...)` before the permission wrapper is applied, despite the comment claiming all operations happen after permission checks. An attacker or unprivileged caller could use `--path` to trigger writes in locations that should have been blocked by the centralized permission gate.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This read-oriented command mutates application state by calling /api/notebook/openNotebook before listing document structure. In an agent setting, users or downstream tools may reasonably expect a metadata read to be side-effect free; hidden state changes can alter the active notebook, trigger sync/UI behavior, or interfere with concurrent workflows, creating integrity and reliability risks.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
This command indexes note content into an external vector database and supports cleanup/rebuild flows, which materially expands the skill from a local Siyuan CLI wrapper into a data export/synchronization component. Even if intended for search, it enables bulk replication of user notes to another system, increasing confidentiality risk and creating a larger attack surface if the vector backend is misconfigured or unauthorized.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The code can delete notebook-scoped indexes or clear the entire external collection via force/remove paths. Destructive operations against an external database are dangerous because a user expecting only note-management CLI behavior may unintentionally trigger broad data loss in the vector store, especially when no secondary confirmation or fine-grained authorization is visible here.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The command enumerates all notebooks and exports document contents in bulk for indexing, effectively copying potentially sensitive note data into an external system. In the context of a skill described as a Siyuan API CLI tool, this broader data-exfiltration capability is more dangerous because users may not expect full-repository export behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The configuration supports outbound connections to a Qdrant vector database and an embedding service, which can cause note content or derived sensitive data to leave the local SiYuan environment. Even though the sample URLs point to localhost, the endpoints are configurable, so a user or downstream deployment could redirect content to external services without strong guardrails or explicit consent controls in this file.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code performs outbound HTTP/HTTPS requests to a fully configurable baseUrl with no allowlist, protocol restrictions beyond http/https, or destination validation. In a note-management skill, this creates SSRF-like network egress and data exfiltration risk because note content may be sent to attacker-controlled endpoints if configuration is influenced by an untrusted party.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The searchContent method concatenates a caller-controlled sql option directly into the SQL statement after only stripping a few comment/statement tokens. This is not robust SQL injection protection: an attacker can still supply arbitrary boolean expressions, subqueries, function calls, or expensive predicates inside the WHERE clause, potentially bypassing intended filtering, exfiltrating broader note data, or triggering denial-of-service through heavy queries.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This code introduces Qdrant connectivity and collection management behavior that is outside the declared SiYuan API CLI scope. Even if intended as a feature, undisclosed external indexing/search expands the trust boundary and can cause users' note data to be sent to or processed by an additional remote system they did not expect.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file does more than local note/search operations: it creates and mutates Qdrant collections and indexes. That matters because infrastructure-changing actions against an external service can alter or destroy data beyond the user's expected SiYuan notebook scope, especially when initialization auto-creates resources.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill performs network requests to an external Qdrant endpoint using configurable URL and API key, but that remote access is not justified by the stated SiYuan CLI purpose. This creates a data exfiltration and environment-expansion risk because note content, metadata, and search behavior can leave the local SiYuan context.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The clearCollection flow can delete an entire Qdrant collection and then recreate it. In the context of a note-management skill, this is unusually destructive because a mis-triggered call, misuse by another component, or unsafe exposure through the agent interface could wipe all indexed data for the collection.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill documentation discloses outbound interaction with an embedding service and a Qdrant vector database, which means note content may leave the primary SiYuan environment and be replicated into additional systems. Without explicit trust boundaries, authentication, transport security, and data handling warnings, this creates data exposure risk for sensitive notes and expands the attack surface through external network services.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims 'complete SQL injection protection' while also exposing a user-controlled `--where` clause for custom SQL filtering. Even if some filtering exists, accepting arbitrary predicate fragments contradicts the safety claim and can lead developers or users to overtrust the feature, increasing the chance of injection or unsafe query construction in the implementation.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The code claims a 'permanent' protection level cannot be removed by command, but setDocumentProtection allows any caller to set the custom-protected attribute to an empty value, effectively removing permanent protection. In a note-management skill that exposes destructive document operations, this breaks an integrity safeguard and can enable deletion of documents that operators believe are undeletable.

Missing User Warnings

Medium
Confidence
68% confidence
Finding
The file enables NLP and vector features by default and initializes them automatically during skill startup, which can cause note content or user queries to be processed by embedding/NLP backends without an explicit consent step in this interface. In a note-management skill, silent activation of content-analysis features increases privacy and data-handling risk, especially if the downstream managers use remote services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Document content and metadata are packaged into Qdrant points and transmitted remotely without any evident user-facing disclosure or consent mechanism. This is dangerous because notes may contain sensitive personal or business information, and users may reasonably assume a SiYuan CLI skill keeps such data within the note system unless told otherwise.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Search queries are converted to embeddings/sparse vectors and sent to Qdrant without clear user disclosure. While lower impact than full document export, query text can still reveal sensitive intent, names, credentials, project details, or other confidential information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes indexing note contents into Qdrant and sending content to Ollama for embedding generation, but it does not clearly warn users that their document data will be processed by additional services and may leave the core note-taking system boundary. Even if these services are commonly run locally, users may point them to remote endpoints via configuration, creating privacy and data-handling risk without explicit disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented command `siyuan index --force` can clear the entire collection, which is a destructive operation affecting all indexed data. Without an explicit warning, confirmation requirement, or recovery guidance, users may run it unintentionally and cause broad data loss or service disruption for search functionality.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes a destructive `block-delete` command and provides direct examples for deleting content, but it does not warn that deletion may be irreversible, may remove user-authored data, or should be confirmed before execution. In an agent skill context, this increases the chance that an LLM or user will invoke deletion casually during note maintenance tasks, causing unintended data loss.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow section recommends update, delete, and move operations as normal editing steps without any user-facing safeguards such as confirmation, dry-run, backup, or verification before mutation. Because this skill is meant to drive note-management actions, these examples can normalize unsafe autonomous modification of user content and lead to accidental corruption or deletion at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that `siyuan index --force` can clear the entire collection, but it does not present this as a destructive high-risk action requiring explicit operator confirmation. In practice, a user or agent could trigger broad deletion of all vector records, causing availability loss for search and potentially costly reindexing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `--remove` mode deletes vector indexes without reindexing them, yet the documentation does not clearly warn that this can leave search data absent until a separate indexing step is performed. This creates an easy foot-gun for data availability and can silently degrade search functionality across documents or notebooks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.