ClawHub

Zettelkasten note tool

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate note-taking skill, but it needs review because its helper script can run an environment-controlled editor command through the shell and its persistent filesystem setup is under-scoped.

Review before installing. Use it only for a vault path you choose, avoid persistent shell-profile changes unless you want them, and prefer --no-edit or a controlled editor setting until the script replaces shell-based EDITOR execution with a safer subprocess call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (8)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
def _open_in_editor(path: Path):
    editor = os.environ.get("EDITOR", "nano")
    os.system(f'{editor} "{path}"')

# ── Commands ─────────────────────────────────────────────────────────────────
Confidence
98% confidence
Finding
os.system(f'{editor} "{path}"')

Tainted flow: 'editor' from os.environ.get (line 167, credential/environment) → os.system (code execution)

Medium
Category
Data Flow
Content
def _open_in_editor(path: Path):
    editor = os.environ.get("EDITOR", "nano")
    os.system(f'{editor} "{path}"')

# ── Commands ─────────────────────────────────────────────────────────────────
Confidence
99% confidence
Finding
os.system(f'{editor} "{path}"')

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to use environment variables, write files, and execute shell-related installation steps, but it does not declare any corresponding permissions or safety boundaries. This creates a transparency and governance gap: a reviewer or runtime may underestimate the skill's capabilities, increasing the chance of unintended file modification or command execution in the user's environment.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The CLI's design directly executes whatever command is stored in `EDITOR`, which is effectively arbitrary code execution by design when `--no-edit` is not used. In the context of an agent skill, this is more dangerous because the tool may be run non-interactively with inherited environment state, so opening a note can become unintended command execution.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary note-taking requests such as 'create a note' or 'link my notes,' which may invoke this skill unexpectedly. Because the skill performs filesystem-oriented note-vault actions, overbroad triggering can cause unintended activation and lead to file creation, editing, or vault operations when the user only wanted generic note assistance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions direct writing `zk.py` into `/mnt/user-data/outputs/`, copying it into `~/.local/bin/`, and initializing a vault under the user's home directory without an explicit warning that files and folders will be created or modified. In a skill context, silent or insufficiently disclosed filesystem changes increase the risk of surprising the user and violating least astonishment, especially when home-directory paths are involved.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The tool executes an environment-controlled editor command without disclosing that it will run through the shell, which increases the chance of unsafe deployment and surprise command execution. While this overlaps with the core command-injection issue, the lack of warning materially worsens operator risk in automation and skill environments.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
chmod +x zk.py
cp zk.py ~/.local/bin/zk        # optional: make globally available
export ZK_VAULT=~/Zettelkasten  # add to ~/.bashrc or ~/.zshrc
```

### Step 3: Initialise vault
Confidence
96% confidence
Finding
add to ~/.bashrc

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal