ClawHub

YoudaoNote

Security checks across malware telemetry and agentic risk

Overview

The skill’s YoudaoNote features are coherent, but its setup tells users to run an unverified remote installer with full shell execution.

Install only if you trust the YoudaoNote CLI source and are comfortable granting it access to your notes. Prefer downloading and inspecting the installer first, use a limited or revocable API key if available, avoid putting secrets or confidential CI artifacts into notes, and keep the API key out of shared terminals, logs, and repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly supports listing, reading, creating, clipping, and saving notes to a remote YoudaoNote account, but it does not warn that note contents, clipped web pages, and JSON payloads will be transmitted to an external third-party service. In an agent context, this can cause users or downstream systems to send sensitive data off-device without informed consent, especially when used in scripts or CI workflows.

External Script Fetching

High
Category
Supply Chain
Content
```sh
# Install (no Node.js required)
curl -fsSL https://artifact.lx.netease.com/download/youdaonote-cli/install.sh | bash

# Configure API Key (get from https://mopen.163.com/#/dashboard)
youdaonote config set apiKey YOUR_API_KEY
Confidence
98% confidence
Finding
curl -fsSL https://artifact.lx.netease.com/download/youdaonote-cli/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```sh
# Install (no Node.js required)
curl -fsSL https://artifact.lx.netease.com/download/youdaonote-cli/install.sh | bash

# Configure API Key (get from https://mopen.163.com/#/dashboard)
youdaonote config set apiKey YOUR_API_KEY
Confidence
99% confidence
Finding
| bash

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal