ClawHub

Notes (Local, Apple, Notion, Obsidian & more)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent note-taking skill that stores notes locally by default and discloses optional integrations with external note apps, though users should configure activation, credentials, and delete actions carefully.

Install this if you want an agent-managed notes workflow. Keep routing local for sensitive content, choose explicit activation instead of broad automatic capture, protect API tokens with restrictive permissions, and require review before remote writes or any delete command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The integration notes explicitly say action items extracted from remote Notion content are synced into a local file (`~/notes/actions.md`). That extends data flow beyond the user-visible Notion scope and can unexpectedly persist or duplicate potentially sensitive content onto disk, increasing exposure and retention risk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "remember" is overly broad and can match ordinary conversation, causing the notes skill to activate when the user did not intend to store information. In a note-writing skill with persistence and optional external routing, unintended invocation can lead to accidental capture of sensitive content and possible propagation into local files or configured third-party note systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to persist a Bear API token in a plaintext file under their home directory without any warning about credential sensitivity, file permissions, or safer storage options. If the host is shared, backed up insecurely, or compromised by other local processes, the token can be recovered and used to access or modify Bear notes through authenticated grizzly operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes a destructive delete command for Evernote notes without any confirmation prompt, safety warning, or recommendation to verify the target note first. In an agent skill context, this increases the chance of accidental data loss if the agent or user issues the command with the wrong title or insufficient review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The authentication section states that an auth token is stored locally but provides no guidance on protecting that token, where it is stored, or the risks of local compromise. A locally stored token can grant ongoing access to Evernote data if read by other users, malware, or insecure tooling, especially on shared or poorly secured systems.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill instructs creation and modification of files under ~/notes on first use without any explicit user-warning, confirmation step, or note that local filesystem writes will occur. In an agent context, even seemingly harmless file writes can be surprising, create persistence, or overwrite existing user content if the path is reused or symlinked.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file discloses only at the end that data leaves the machine and that extracted action items may be written locally, but the skill description does not prominently warn users about these data flows before use. This is a real security/privacy issue because users may authorize the integration without understanding that note content can be transmitted to Notion and copied into local files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents `obsidian-cli delete "path/note"` as a normal operation without any warning, confirmation guidance, or recommendation to verify the active vault first. In this context, the skill is designed to let an agent write notes across user-managed vaults, so an agent or user following the instructions could permanently delete the wrong note or delete from the wrong vault, causing real data loss.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The direct file editing section tells the agent/user to resolve the vault path and edit files in place with `nano` but does not warn that this modifies live user data inside the Obsidian vault. Because the skill explicitly supports direct editing without the CLI, mistakes in path selection, file naming, or content generation can overwrite or corrupt notes, though the impact is generally lower than explicit deletion because changes may be recoverable.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation preference "Whenever I mention meetings, decisions, or ideas" is overly broad and can cause the skill to trigger during ordinary conversation rather than explicit note-taking requests. This creates a risk of unintended note creation, accidental persistence of sensitive conversational content, and surprising writes to local or third-party note systems.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition 'When user starts day or asks for status' is overly broad and can cause the skill to activate on common conversational phrases that are not explicit requests to scan or summarize notes. In a note-writing skill that reads and aggregates local and third-party note sources, ambiguous activation increases the chance of unintended data access or disclosure through unsolicited status summaries.

Vague Triggers

Low
Confidence
79% confidence
Finding
The owner-view instruction 'Generate on request' lacks concrete boundaries for what counts as a valid request, making it possible for loosely related prompts to trigger retrieval of another person's action items. Because the tracker may contain names, deadlines, and note links, unintended activation could expose personal or sensitive work metadata.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase 'Generate on request or every Monday' introduces both a vague manual trigger and an automatic scheduled action without well-defined activation boundaries. In this skill context, automatic weekly review generation may rescan notes and surface aggregated task data without an explicit user request, increasing the risk of unintended processing or disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal