ClawHub

cornell note tool

Security checks across malware telemetry and agentic risk

Overview

This is a local Cornell-notes tool that stores Markdown files on your machine and shows no hidden networking, credential access, or unrelated behavior.

Install this only if you want an agent-accessible local notes folder at ~/cornell-notes. Prefer running scripts/cornell.py from the skill directory instead of /tmp, keep EDITOR or VISUAL set to a trusted editor, and remember that saved notes can later be searched, edited, viewed, or deleted when you ask the skill to do so.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _open_in_editor(path: Path):
    editor = os.environ.get("EDITOR") or os.environ.get("VISUAL") or "micro"
    try:
        subprocess.run([editor, str(path)])
    except FileNotFoundError:
        print(c(f"Editor '{editor}' not found. Set $EDITOR env var.", YELLOW))
        print(f"File saved at: {path}")
Confidence
95% confidence
Finding
subprocess.run([editor, str(path)])

Tainted flow: 'editor' from os.environ.get (line 312, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def _open_in_editor(path: Path):
    editor = os.environ.get("EDITOR") or os.environ.get("VISUAL") or "micro"
    try:
        subprocess.run([editor, str(path)])
    except FileNotFoundError:
        print(c(f"Editor '{editor}' not found. Set $EDITOR env var.", YELLOW))
        print(f"File saved at: {path}")
Confidence
98% confidence
Finding
subprocess.run([editor, str(path)])

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to read and write files, inspect environment-dependent editor settings, and execute shell commands via a bundled Python CLI, but it declares no permissions or user-safety boundaries. That mismatch can cause the agent to perform filesystem and command execution actions without explicit approval controls, increasing the risk of unintended note creation, modification, deletion, or broader abuse if the script behavior changes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The instructions recommend copying the executable script into /tmp and running it from there, which is unnecessary for note management and weakens trust in code provenance. Using /tmp introduces avoidable risks such as executing a replaced or modified file in a shared temporary location, and it expands the attack surface beyond the skill directory.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A note-management skill should not implicitly execute arbitrary external programs, especially in response to normal user actions like creating or editing notes. The skill context makes this more dangerous because note-taking is a low-risk domain, so users and calling agents are unlikely to expect that routine note operations can trigger arbitrary local code execution via environment-controlled editor selection.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger language is broad enough to activate on general conversation about notes, memory, or prior writing rather than a clear request to access or modify stored files. In a note-taking skill with file and shell capabilities, over-triggering can lead to unintended disclosure of note contents or unrequested writes to disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow instructs saving user content directly into files under ~/cornell-notes without explicitly warning that persistent local storage will occur. That can surprise users and cause sensitive information to be written to disk unintentionally, especially when the skill offers to capture content directly on the user's behalf.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal