ClawHub
Back to skill

Security audit

Mowenskill Publish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Mowen note-management skill, but users should understand that edits can overwrite notes and selected content/images are sent to Mowen.

Install only if you intend to use Mowen as the destination for these notes and images. Before editing, fetch or back up the existing note because updates may replace the whole note. Avoid sending confidential text or local images unless Mowen's privacy and retention practices are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The edit workflow mentions that the entire note content will be replaced, but the warning is easy to miss and is not framed as an explicit destructive-action warning to the user. This can lead to accidental overwriting of existing note content if a user believes the operation is patch-like rather than replace-all. The context makes this materially relevant because the skill performs live content updates against a remote API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that local file paths and note content are handled automatically and uploaded via remote APIs, but it does not present this as a clear privacy/security warning. Users may provide sensitive local images or confidential text without realizing they will be transmitted to a third-party service. Because the skill is specifically designed to upload user content externally, this omission raises the risk of inadvertent data disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal