Getnote 1.5.7

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Get笔记 integration for saving, searching, and managing notes through biji.com, with privacy-sensitive remote note access users should understand before authorizing.

Install only if you trust Get笔记/biji.com with the notes, links, images, and searches you use through this skill. Prefer explicit /note commands for sensitive actions, confirm before deleting or moving notes, configure GETNOTE_OWNER_ID in shared contexts, and revoke the stored API key from the provider if you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no explicit permissions while its content clearly requires access to environment secrets, outbound network calls, and likely auxiliary execution capabilities. This weakens reviewability and consent because operators cannot accurately assess what the skill can do, increasing the chance of unexpected secret use or data exfiltration through external API calls.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill description encourages activation on very common phrases like '记一下', '保存', '收藏', and broad note-related requests, which can cause accidental invocation. In a note-taking skill, unintended activation is risky because it may capture sensitive user content or trigger save/search actions without clear user intent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad and overlap with common conversational language, making accidental activation more likely. In a note-management skill, false activation can cause unintended storage, search, or disclosure-related actions against a user's private notes, especially if the agent interprets casual phrases as commands.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The routing rules rely on single characters and very common fuzzy words like '记', '存', '看看', and '找找' without sufficient contextual checks. This creates a realistic risk of misrouting ordinary conversation into API-backed note operations, which can lead to unintended note creation, retrieval of sensitive personal content, or privacy boundary violations in shared chat contexts.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The description includes broad trigger phrases such as “说『记一下』就能存，说『搜一下』就能找,” which are common conversational expressions and may cause the skill to activate when the user did not explicitly intend to use this specific note-taking integration. In a skill that can save personal content and search a knowledge base, unintended invocation can expose or store sensitive data without clear consent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The documented logic allows the system to infer a target knowledge base from vague user phrasing such as '对应的知识库' or '相关知识库' using fuzzy matching, then proceed automatically when confidence is judged high. In a note-taking skill that can modify user data, this creates a real risk of unintended writes to the wrong knowledge base due to ambiguous natural language, especially because the matching criteria and confidence threshold are unspecified and may over-trigger on ordinary conversation.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to automatically initiate OAuth Device Flow whenever the API key is missing, even if the user did not explicitly ask to configure or connect the service. This can cause unsolicited authentication prompts, accidental account linking, and user confusion about why authorization is being requested, which weakens consent boundaries around credential-granting actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to send user-provided note text, links, and images to external services (biji.com APIs and OSS) but does not require any disclosure, consent, or warning that potentially sensitive personal data will leave the local environment. In a note-taking context, users may submit highly sensitive content, so silent exfiltration to third-party infrastructure creates a real privacy and data-handling risk even if the feature is intended.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger examples for semantic search use broad everyday phrases like “搜一下” and “找找我哪些笔记提到了 XX” without clear gating conditions, which can cause the skill to activate when the user is making a general request rather than explicitly requesting access to their notes. In a note-search skill, unintended invocation can expose private note metadata or content snippets from a personal knowledge base.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The knowledge-base search description says it applies to requests like searching “我的 XX 知识库” but does not define strict activation constraints or verification that the referenced knowledge base belongs to the user and matches intended scope. This ambiguity increases the risk of searching the wrong repository or over-triggering a privileged search flow against personal stored data.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal