ClawHub

思源笔记增强版

Security checks across malware telemetry and agentic risk

Overview

This SiYuan note skill mostly does what it claims, but it ships hardcoded credentials and write-capable scripts that can modify a live note system without clear user review.

Install only after removing the hardcoded-token debug/test scripts, rotating that exposed token if it may be real, and configuring your own endpoint via environment variables. Treat conversation sync as persistent export: review or redact chats before syncing, avoid auto-sync for sensitive work, and verify which notebook or document will be modified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation and metadata indicate access to environment variables, local files, and networked APIs, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or the hosting platform may not realize the skill can read tokens, persist data locally, and transmit content to a remote service. In a skill that handles note syncing and conversation export, undeclared capabilities materially increase the risk of unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose is basic read/write interaction with SiYuan, but the documented behavior goes further by supporting full conversation syncing, bulk history export, article clipping, template rendering, configuration persistence, and direct remote API use. This mismatch can mislead users and reviewers about the true data handling and execution surface, especially since the examples include exporting conversation histories and storing credentials in config. The combination of understated scope and expanded data-processing features makes accidental over-collection and disclosure more likely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module manages a local configuration file and persists the SiYuan API URL and token to disk, expanding its capabilities beyond simple note read/write. Storing credentials in plaintext under a user home directory increases the risk of token disclosure through filesystem access, backups, or accidental sharing.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill reads the API token from environment variables and then later saves configuration to disk, which can convert a relatively ephemeral secret into a plaintext stored credential. This broadens the attack surface because any local process or user with access to the config file can recover the token and access the note system.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
If document creation fails, the fallback appends content into the first existing document in the notebook rather than creating a new isolated document. This can silently write conversation data into an unrelated note, causing integrity issues and unintended disclosure of synced content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises conversation syncing and note-writing but does not clearly warn users that chat content may be transmitted to and persistently stored in SiYuan. In a note-taking integration skill, this creates a realistic privacy and data-retention risk because users may assume ordinary assistant conversations are ephemeral unless explicitly told otherwise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The sample configuration enables auto_sync by default and sets a periodic sync interval without an explicit warning that conversations may be written automatically. This is dangerous because users copying the example may unknowingly enable ongoing background export of potentially sensitive chat data to an external note store.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance includes '或类似请求', which is an overly broad catch-all that can cause the skill to trigger on ambiguous user intent. For a skill capable of writing notes and syncing conversations to an external application, mistaken activation can lead to unintended data transfer or note modification. Broad triggering is especially risky when the skill has both read and write behaviors.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The keyword trigger list contains broad standalone phrases such as '思源笔记', which may match casual mention rather than a clear instruction to use the skill. Because the skill can create documents, append content, and synchronize conversations, a loose trigger increases the chance of unintended invocation and data handling. In context, the risk is not remote code execution but unauthorized or surprising actions on user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not clearly warn that using sync and write features may send conversation content to a local or remote SiYuan API and create or modify notes. Users may reasonably assume a simple note assistant without realizing that full conversation data, metadata, or history could be persisted externally. Lack of up-front disclosure undermines informed consent for data transfer and retention.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation presents note creation and web clipping as simple operations without clearly warning that these actions modify user notes and may transmit webpage-derived data to the SiYuan API. This can lead to uninformed user consent, accidental data ingestion, or privacy surprises when users clip sensitive pages or create documents programmatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a write operation to SiYuan by creating a document immediately, without any explicit confirmation, dry-run mode, or guardrail to ensure the user intended persistent note modification. In an agent skill context, silent state-changing actions are risky because they can alter or pollute a user's knowledge base simply from invocation or mis-triggering.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs write operations against a live SiYuan instance, creating documents and daily notes, without any confirmation prompt, dry-run mode, or prominent warning that remote notebook data will be modified. In a skill ecosystem, this increases the risk of unintended data creation or state changes when a user or operator runs what appears to be a simple debug utility.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A hardcoded authentication token is embedded directly in the script and automatically used for all network requests. If the code is shared, committed, or packaged, the credential can be reused by others to access and modify the connected SiYuan instance, especially since the target is a reachable HTTP service on a private network.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The verification script creates a real test document in the user's SiYuan notebook as part of normal execution, but it does not provide any upfront warning, confirmation prompt, or dry-run mode before performing the write. In a read/write note-taking skill, unsolicited persistent writes can surprise users, pollute notebooks, and violate expectations about what a 'verification' action will change.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The article clipping test persists clipped content into the notebook without explicit advance disclosure or consent, creating additional user data as a side effect of validation. Because clipping writes a titled document with content, URL metadata, and tags, it can clutter user notes and may cause trust or workflow issues if the skill is run automatically or by an unsuspecting operator.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The sync path writes conversation content to SiYuan and returns a success message showing the destination, but there is no explicit consent, warning, or sensitivity check before persisting potentially private user/assistant messages. In an agent setting, this creates a real confidentiality and retention risk because users may not realize their chat content is being stored externally and durably.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends conversation content to the SiYuan note-sync backend immediately via `siyuan.sync_conversation(conversation_data)` without any explicit privacy notice, destination review, or confirmation step. Because the tool is specifically designed to handle chat transcripts, this can cause accidental disclosure of sensitive prompts, credentials, personal data, or proprietary information if users invoke it casually or from files/stdin containing confidential content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The sync function transmits conversation data to the SiYuan HTTP API without any explicit consent flow, warning, or visibility to the user about what content is being sent. In an agent setting, conversations may contain secrets, personal data, or sensitive instructions, so silent synchronization materially increases privacy and data leakage risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code handles a sensitive API token from environment variables and persists related configuration without any warning to the user about credential storage risks. Lack of transparency around secret handling makes accidental exposure more likely, especially in shared or multi-user environments.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The file contains a hardcoded API token and uses it for authenticated requests over plain HTTP to a specific internal IP address. Anyone with access to the source file, logs, screenshots, or repository history can recover the credential and use it to access or modify notes through the SiYuan API.

Ssd 3

Medium
Confidence
91% confidence
Finding
The documentation promotes automatic syncing of conversations but provides no filtering, minimization, or sensitivity guidance. As a result, secrets, personal data, or other sensitive user inputs could be copied wholesale into notes and retained longer than intended.

Ssd 3

Medium
Confidence
94% confidence
Finding
The example workflow explicitly packages full conversation messages and syncs them into the note system, establishing a direct leakage and retention path for user content. Because this is example code in a user-facing README, it strongly encourages implementations that store raw prompts and replies without safeguards.

Ssd 3

Medium
Confidence
95% confidence
Finding
The auto-sync example encourages ongoing logging of message content and marks it as automatic behavior, which increases the chance that private or regulated data will be captured by default. In the context of an assistant skill, continuous transcript retention is more dangerous because conversations commonly include ad hoc secrets, personal details, and business-sensitive material.

Ssd 3

Medium
Confidence
90% confidence
Finding
The examples explicitly encourage synchronizing full conversation data structures, including user and assistant messages, summaries, conclusions, and metadata, into notes. This semantically promotes retention and transfer of potentially sensitive chat content beyond the original interaction context. If used on conversations containing credentials, personal data, or confidential material, the skill could cause significant privacy leakage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal