Inkdrop
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The Inkdrop integration is mostly purpose-aligned, but its helper script builds Python code from note text, which could run unintended local code if given crafted content.
Only install this if you trust the workspace and understand it can read, modify, and delete Inkdrop notes. Avoid using the included helper script until its Python string interpolation is fixed, or use carefully reviewed curl/API calls instead.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted note title/body or existing Inkdrop note could cause the helper script to run code on the user's machine if the agent uses the affected create, update, or search paths.
The script interpolates note title, body, book ID, and fetched note JSON directly into Python source passed to python3 -c. Crafted content containing quote sequences could break out of the intended string and execute unintended Python code locally.
python3 -c "... print(json.dumps({'doctype':'markdown','title':'$TITLE','body':'''$BODY''','bookId':'$BOOK', ...}))" ... note = json.loads('''$NOTE''') ... note['body'] = '''$BODY'''Rewrite the helper to pass values as argv/stdin to a fixed Python program or use jq/json tooling safely; never embed note text directly into code strings.
If invoked on the wrong ID, the agent could delete an Inkdrop note or other document the user did not intend to remove.
The helper exposes a direct delete operation for any supplied document ID. This matches the stated note-management purpose, but deletion is persistent and has no built-in confirmation or document-type restriction.
delete)
curl -s -u "$AUTH" -X DELETE "$BASE/$1"Ask for explicit confirmation before delete/update operations and consider restricting deletion to expected note IDs unless the user clearly requests broader document deletion.
Anyone or anything with access to the configured secret can read or change the user's Inkdrop notes through the local API.
The skill needs Inkdrop Basic auth credentials to access the local HTTP API. This is expected for the integration, but it gives the agent authenticated access to the user's Inkdrop data.
INKDROP_AUTH:
required: true
description: "Basic auth credentials (user:password) from Inkdrop preferences"Store INKDROP_AUTH only in a trusted secret mechanism, avoid committing it to a repository, and rotate the Inkdrop API password if it may have been exposed.
The agent may read sensitive note content while fulfilling note-search or note-management requests.
The skill can list notes and retrieve change-feed documents from the user's persistent Inkdrop database. This is central to the skill's purpose, but the retrieved notes may contain sensitive personal or project information.
curl -s -u $INKDROP_AUTH http://localhost:19840/notes ... curl -s -u $INKDROP_AUTH "http://localhost:19840/_changes?since=0&limit=50&include_docs=true"
Use the skill only in trusted conversations and give specific instructions about which notebooks or notes should be accessed when possible.