ClawHub

GetNote

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GetNote integration for saving, searching, organizing, and trashing personal notes, with privacy-sensitive but purpose-aligned behavior.

Install only if you trust GetNote and openapi.biji.com with your private notes. Keep the API key out of chat, configure GETNOTE_OWNER_ID in shared or group settings, and ask the agent to confirm before deleting notes, changing tags, or running broad searches over private content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'host' from requests.get (line 77, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
"Content-Type": mime_type,
        }
        files = {"file": (file_name, f, mime_type)}
        resp = requests.post(host, data=form_data, files=files)
    
    if resp.status_code not in (200, 204):
        raise Exception(f"上传失败: HTTP {resp.status_code}")
Confidence
91% confidence
Finding
resp = requests.post(host, data=form_data, files=files)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented trigger phrases are broad everyday expressions like '记一下' and '搜一下', which can cause the skill to activate when the user did not explicitly intend to access or store private notes. In a note-taking and knowledge-base skill, accidental invocation can lead to unintended persistence of sensitive content or unintended retrieval of personal data.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The recall/search examples are loosely scoped, such as asking to find prior work-related notes or prior discussions, without requiring an explicit notebook, time range, or ownership confirmation. For a system handling private notes, ambiguous search intents increase the risk of over-broad retrieval and disclosure of unrelated sensitive material.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad everyday expressions such as '记一下' and '搜一下', which can cause the skill to activate when the user did not intend to access a private notes system. In a privacy-sensitive skill that can read, save, search, and delete personal notes, overbroad activation raises the chance of unintended disclosure or modification of user data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents destructive deletion of notes but does not require an explicit confirmation step or user warning before moving content to the recycle bin. Because the same skill also supports broad triggers and personal data operations, accidental or prompt-induced deletions become materially more likely.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill metadata lists many broad natural-language trigger phrases such as '记一下', '搜一下', and '找找', which can overlap with ordinary conversation and cause the skill to activate when the user did not clearly intend to use it. In a notes/search skill, accidental activation can expose or modify personal notes, save unintended content, or perform searches over private knowledge bases without sufficiently explicit user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal