ClawHub

Logseq

Security checks across malware telemetry and agentic risk

Overview

This Logseq skill is mostly documentation-only and purpose-aligned, but its example bridge could expose broad unauthenticated read, write, delete, and Git capabilities against a local notes graph.

Install only if you intend to let an agent automate your local Logseq graph. If you build the bridge, keep it localhost-only, require an auth token, allowlist only the exact methods you need, review proposed edits, confirm deletes and bulk changes, restrict Git commands, and keep backups or version control enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill documents `logseq.Git.execCommand(args)` as available capability, which expands beyond note-taking/content automation into shell-adjacent command execution within the graph's git context. In a locally accessible API skill, exposing or normalizing this capability increases the chance an agent could perform unintended repository operations such as reset, checkout, commit, push, or destructive history changes unrelated to the declared purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The bridge example exposes arbitrary dynamic dispatch over HTTP via `handleAPICall({ method, args })` and calls `logseq.Editor[method](...args)` without validation. This creates a generic local RPC interface to powerful editor methods, enabling any local process or misdirected agent action to invoke destructive or unexpected operations such as deleting pages, overwriting content, or abusing undocumented methods if the bridge is reachable.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The bridge example forwards arbitrary externally supplied namespace and method values into the Logseq API with no authentication, authorization, or allowlist. In practice, that creates a generic capability bridge to local graph read/write operations, so any process or caller that can reach the bridge can query, modify, move, or exfiltrate Logseq content far beyond the narrowly scoped examples described in the skill.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The top-level skill description advertises creating, inserting, managing, and automating workflows in a local Logseq graph without any warning that these operations can modify or remove user data. In an agent skill, omission of safety boundaries can lead users or downstream agents to invoke destructive actions under the assumption the capability is read-oriented or low risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented `deletePage(pageName)` operation is presented without warning about irreversible or hard-to-recover data loss. In a local knowledge base, accidental invocation could delete significant user content, and an agent using this documentation may not apply appropriate confirmation or backup safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The HTTP bridge example presents external API exposure as a straightforward pattern without warning users that it grants broad access to local notes and graph metadata. In the context of a local knowledge base, undocumented exposure of read/write access can lead to silent data exfiltration or destructive edits by other local software or by any network-reachable client if misconfigured.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal