Skillv0.1.0

ClawScan security

Siyuan Notes Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 3:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions generally match a SiYuan notes CLI, but its metadata omits required environment variables and the runtime behavior writes/read persistent state and can run arbitrary SQL — these mismatches and persistence details warrant caution before enabling writes or deploying widely.
Guidance: This skill appears to implement a legitimate SiYuan notes CLI, but there are a few red flags you should check before installing or enabling write-capability: - Expectation vs declaration: The skill requires SIYUAN_SERVER and SIYUAN_TOKEN (and an environment flag SIYUAN_ENABLE_WRITE to allow edits), but the registry metadata did not declare any required environment variables or primary credential. Treat that as a metadata omission — confirm you must provide these values before use. - Sensitive credentials: Only provide SIYUAN_TOKEN to this skill if you trust the code and the agent runtime. With that token the skill can read and (if you enable writes) modify your SiYuan content. Keep SIYUAN_ENABLE_WRITE=false unless you intentionally want to allow edits. - Disk persistence: The tool records 'read' marks and caches state on disk. Ask or inspect index.js to learn where that cache is stored if you care about local persistence or multi-user environments. - Arbitrary queries and exports: The JS API exposes executeSiyuanQuery and apply-patch/PMF flows. Those are useful for advanced tasks but also allow wide read access (SQL) and bulk edits. Do not run this skill against an untrusted or remote SiYuan instance without reviewing the code and limiting network exposure. - What to do next: review the index.js and any network-related code to confirm there are no unexpected external endpoints; confirm where cached/read-mark files are written; only set SIYUAN_ENABLE_WRITE=true in trusted contexts; and ideally ask the skill author to update registry metadata to declare required env vars (SIYUAN_SERVER, SIYUAN_TOKEN, SIYUAN_ENABLE_WRITE) and document cache paths. If you cannot review the code, treat it as read-only by leaving SIYUAN_ENABLE_WRITE unset/false and avoid running SQL queries that might exfiltrate data.

Review Dimensions

Purpose & Capability: noteThe name, description, README and code consistently implement a SiYuan notes helper (search/read/edit/organize, PMF, SQL queries). Requiring Node.js and an accessible SiYuan kernel is expected. However the skill metadata lists no required environment variables or primary credential even though the README/SKILL.md and code expect SIYUAN_SERVER, SIYUAN_TOKEN and SIYUAN_ENABLE_WRITE (and optional SIYUAN_OPEN_DOC_*). That omission is an incoherence between claimed metadata and actual capability.
Instruction Scope: concernSKILL.md instructs the agent to run Node CLI commands that will: call the SiYuan API, mark documents as 'read' (side effect), persist read-mark cache to disk, and execute arbitrary SQL queries via executeSiyuanQuery. These actions are within the stated SiYuan purpose, but instructions also imply on-disk state and potential for large exports (full PMF) and SQL execution that could be used to read many records — the SKILL.md does not document where read-mark cache is stored or other file paths, which is a privacy/operational concern.
Install Mechanism: okThere is no install spec (instruction-only at registry level), and the skill ships code files (Node.js). No remote download/install script in the registry manifest was detected. Running the skill requires Node.js available in the agent environment; that is reasonable for a Node CLI-based skill. No high-risk external download or obfuscated installer was found in the provided files.
Credentials: concernThe skill requires access to the SiYuan server and token (SIYUAN_SERVER, SIYUAN_TOKEN) and a write-enable flag (SIYUAN_ENABLE_WRITE) according to README/SKILL.md and code, but the registry metadata lists no required environment variables or primary credential. This mismatch is problematic: sensitive credentials are needed for normal operation but were not declared. Other env vars referenced (e.g., SIYUAN_OPEN_DOC_CHAR_LIMIT) are optional. The number and sensitivity of env vars is proportionate to the skill's function but must be explicitly declared so users know which secrets will be used.
Persistence & Privilege: noteThe skill does not request 'always:true' and does not declare system-wide privileges. It does persist a 'read' marker cache to disk (SKILL.md), and write operations can modify user documents when SIYUAN_ENABLE_WRITE=true. Autonomous invocation is permitted by default (normal), so combined with write capability the skill could perform write operations if the environment variable enabling writes is set. That is expected for an editor skill but the precise cache path and persistence behavior are not documented in the metadata.