ClawHub

得到大脑(Get笔记)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Get笔记 notes integration, but it needs Review because it can access, modify, delete, and publicly share private notes with broad triggers and limited confirmation guidance.

Install only if you are comfortable granting persistent access to your Get笔记 account. Use explicit commands for save/search/delete/share, configure GETNOTE_OWNER_ID in shared contexts, and verify note contents before creating any public share link.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no required permissions while its documented behavior clearly depends on environment secrets and outbound network access, creating a capability/manifest mismatch. This can bypass least-privilege review, mislead operators about what the skill can access, and hide sensitive data exfiltration risk if the skill is invoked unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill metadata frames the capability as saving, searching, and managing personal notes, but the reference also exposes generation of public share links. That expands the effective data-exfiltration surface from private note management to external publication, which can surprise downstream agents or users and lead to unintended disclosure of sensitive note content. In a personal knowledge-base skill, this is materially risky because notes may contain private text, attachments, transcripts, and linked-page content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill activates on broad everyday phrases like '保存', '收藏', '搜一下', and similar language that can occur in unrelated conversations. Overbroad triggers can cause unintended note saves, searches, or other state-changing actions, increasing privacy risk because this skill operates on personal notes and linked accounts.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The routing table uses ambiguous one-word triggers such as '记', '存', '搜', '看看', and '知识库', which are too generic for a sensitive skill handling private content. In context, accidental routing is more dangerous because the skill can read, modify, delete, and potentially share notes, making unintended execution a meaningful privacy and integrity issue.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The manifest description advertises very broad activation phrases such as saving, searching, and managing notes with colloquial examples like “记一下” and “搜一下” but does not define boundaries, exclusions, or confirmation requirements. In an agent-routing context, this can cause over-triggering on ordinary conversation and send user content to the note service when the user did not clearly intend to invoke it, creating privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes a destructive delete operation that moves notes to trash but provides no guidance to obtain explicit user confirmation or warn about destructive impact. In an agent setting, ambiguous user requests or model mistakes could trigger deletion of personal notes, causing loss of data or forcing recovery from trash. Because this skill manages a personal knowledge base, destructive actions are more dangerous than in a read-only integration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The share-link section enables creation of a public URL for a note but does not warn that this exposes potentially sensitive personal content outside the private notebook environment. Since notes can include full text, transcripts, attachments, and linked content, an agent could unintentionally publish private information if it invokes sharing without a clear privacy warning and explicit consent. The skill context increases the danger because personal notes often contain confidential or identifying information.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger condition is overly broad: it says to invoke this authorization flow before every API call whenever `$GETNOTE_API_KEY` is absent. In an agent setting, this can cause the skill to activate outside an explicit user request to configure Get笔记, creating confused-deputy behavior where users are unexpectedly prompted to authorize a third-party note service. Because the skill handles credential acquisition, broad auto-triggering increases the chance of credential phishing-like UX, accidental account linking, or unauthorized persistence of secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs writing a long-lived API key directly into `~/.openclaw/openclaw.json` without any warning about plaintext secret storage, file permissions, local compromise, backups, or multi-user systems. If that file is readable by other local users, exposed through logs/sync/backup tools, or accessed by malware, the attacker can reuse the API key to access the user's Get笔记 data until expiry or revocation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples for global semantic search are broad natural-language phrases like '搜一下' and '找找我哪些笔记提到了 XX', which can overlap with ordinary conversation and cause the skill to invoke note search without sufficiently clear user intent. In a note-search skill, this can expose private note titles and content snippets unintentionally, especially because the API returns semantically matched excerpts directly.

Vague Triggers

Low
Confidence
80% confidence
Finding
The knowledge-base search description does not clearly define matching boundaries for phrases like '在我的 XX 知识库搜一下 XX', leaving room for ambiguous routing when the referenced knowledge base name is unclear or missing. This can lead to searches being executed against the wrong repository or to unintended disclosure of snippets from a different knowledge base than the user expected.

Session Persistence

Medium
Category
Rogue Agent
Content
### 方式二:手动安装

```bash
mkdir -p ~/.openclaw/workspace/skills/getnote
cd ~/.openclaw/workspace/skills/getnote
curl -sL https://raw.githubusercontent.com/iswalle/getnote-openclaw/main/SKILL.md -o SKILL.md
curl -sL https://raw.githubusercontent.com/iswalle/getnote-openclaw/main/package.json -o package.json
Confidence
76% confidence
Finding
mkdir -p ~/.openclaw/workspace/skills/getnote cd ~/.openclaw/workspace/skills/getnote curl -sL https://raw.githubusercontent.com/iswalle/getnote-openclaw/main/SKILL.md -o SKILL.md curl -sL https://raw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal