ClawHub

Evernote Note

Security checks across malware telemetry and agentic risk

Overview

This Evernote skill is mostly purpose-aligned, but it asks for sensitive note-account access and includes broad activation plus under-disclosed destructive and credential-handling risks.

Install only if you are comfortable giving the skill access to your Evernote/Yinxiang account. Treat EVERNOTE_TOKEN and YX_AUTH_TOKEN as account secrets, do not run the test script where logs are shared, confirm before creating/appending/clipping notes, and avoid using the undocumented deletion capability unless the skill adds explicit confirmation and recovery guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The FAQ states that the skill '不会存储或传输笔记内容到第三方服务器', but the same document introduces a separate RESTful Web Clipper flow that sends a URL to an external clipping service/gateway to fetch and save page content. This creates a misleading privacy representation: users may believe no third-party transmission occurs when, in fact, clipping necessarily involves sending data to another service and causes external retrieval and storage in their account.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README states the skill only supports developer-token authentication, but elsewhere documents a separate OAuth-style token requirement for web clipping. This can mislead users into deploying the skill without understanding all credential types and trust boundaries, increasing the chance of insecure setup or accidental exposure of a second privileged token.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The FAQ claims no API Key or OAuth setup is needed, which contradicts the web-clipping workflow's separate token requirement. Security-relevant documentation contradictions are dangerous because users may skip required credential segregation or misunderstand what external services and permissions the skill actually uses.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The metadata says only EVERNOTE_TOKEN is required, but the documented Web Clipper workflow also requires YX_AUTH_TOKEN. This inconsistency can cause unsafe partial setup, confusing failures, and bypass of informed consent because users may enable the skill without realizing a second credential and additional API surface are involved.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document states the skill only supports developer-token auth, but later implements a second auth model using YX_AUTH_TOKEN for clipping. Conflicting security documentation is dangerous because operators may incorrectly assess trust boundaries, token scope, and review requirements, especially when a new external API path is introduced.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference file documents a destructive deleteNote capability even though the skill metadata only describes searching, browsing, reading, creating, appending, and web clipping. Undisclosed destructive operations expand the effective capability surface of the skill and could enable accidental or unauthorized data deletion if the implementation exposes or later wires this method without explicit user awareness and safeguards.

Description-Behavior Mismatch

Low
Confidence
67% confidence
Finding
The API reference includes notebook creation capability that is not clearly disclosed in the skill metadata, creating a documentation-to-capability mismatch. While less severe than deletion, hidden write capabilities can still surprise users and broaden what an agent may do to persistent user data without clear expectation-setting.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The release notes advertise clipping arbitrary URLs into notes via a RESTful API but do not clearly warn users that invoking this feature transmits the URL and triggers remote retrieval/processing of page content by an external service. For a note-taking skill handling personal information, incomplete disclosure of outbound data flow can lead users to submit sensitive or internal URLs without understanding the privacy implications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document instructs users to configure EVERNOTE_TOKEN but does not prominently warn that this token is a sensitive account credential with broad access to the user's notes. Without explicit handling guidance, users may paste it into logs, screenshots, shell history, shared environments, or repositories, enabling unauthorized account access if exposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises clipping arbitrary URLs and creating/appending notes without clearly warning that user-supplied content and URLs will be transmitted to Evernote services and that account data will be modified. In a note-management skill, these are expected capabilities, but the lack of explicit disclosure reduces informed consent and may lead to accidental exfiltration of sensitive content or unintended account changes.

Vague Triggers

High
Confidence
97% confidence
Finding
The activation rules are extremely broad, triggering on generic phrases like '帮我记一下' or any personal-document intent, even when the user did not explicitly request Evernote. In an agent setting, this can cause unintended access to private notes or unintended writes/exfiltration to an external note service from routine conversation, making the context significantly more dangerous because the skill handles sensitive personal content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document exposes how to use a live authentication token format and describes privileged note-search and note-access endpoints without any explicit guidance on secure handling, least-privilege use, or user consent. In an agent-skill context, this increases the chance that implementers or downstream tooling will log, mishandle, or invoke note-data APIs without adequately warning users that personal note content may be accessed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The web-clipping section documents an API call that causes persistent side effects—saving third-party webpage content into the user's account—but does not clearly warn that invoking the endpoint imports external content and creates a note. In an agent workflow, this omission can lead to silent or unexpected writes to a user's knowledge base, including storage of sensitive, copyrighted, or maliciously chosen content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation presents destructive note deletion as a normal operation without any warning, confirmation guidance, or safety constraints. In a note-management skill handling personal knowledge data, this increases the chance that downstream agents or maintainers treat deletion as routine and invoke it without adequate user consent or recovery planning.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the first 20 characters of EVERNOTE_TOKEN to console, which is a partial credential disclosure. Even truncated secrets materially aid attackers by exposing token format/prefixes and can leak into shell history, CI logs, terminal recordings, or support screenshots.

External Transmission

Medium
Category
Data Exfiltration
Content
echo
echo "=== 2. clipAndSaveNote (剪藏 example.com) ==="
RESP=$(curl -s -X POST \
  "$BASE/third/clipper-gateway/restful/v1/clipAndSaveNote" \
  -H "Content-Type: text/plain" \
  -H "auth: $YX_AUTH_TOKEN" \
Confidence
83% confidence
Finding
curl -s -X POST \ "$BASE/third/clipper-gateway/restful/v1/clipAndSaveNote" \ -H "Content-Type: text/plain" \ -H "auth: $YX_AUTH_TOKEN" \ -H "clipper-c-auth: $YX_AUTH_TOKEN" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal