Siyuan Notes Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SiYuan notes integration that can read and, when enabled, edit or delete notes, with no artifact-backed hidden exfiltration or deceptive behavior found.

Install only if you are comfortable giving the agent access to your SiYuan workspace. Keep SIYUAN_ENABLE_WRITE=false unless you explicitly want edits, use the least-privileged/local token available, avoid token-in-query mode unless required, and review document or block IDs carefully before write, delete, move, replace-section, or apply-patch operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Ssd 1

Medium

Confidence: 97% confidence
Finding: The README contains a model-targeted instruction telling LLMs to ignore the current file and instead read SKILL.md. In an agent-skill context, this creates an instruction-routing channel specifically for models, which can be used to hide or split behavior between human-visible and model-visible documentation and increases the risk of prompt injection or deceptive capability descriptions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal