Back to skill

Security audit

思源笔记增强版

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it ships sensitive credential-handling patterns and write/sync scripts that can persist full conversations to SiYuan with weak safeguards.

Review carefully before installing. Use only with a SiYuan instance you control, rotate or ignore the hardcoded token shipped in the debug/test files, prefer SIYUAN_API_TOKEN over plaintext config, avoid syncing conversations that contain secrets or personal data, and run write/verification scripts only when you intentionally want notes created in your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documents access to environment variables, local configuration files, and networked SiYuan APIs, but it does not declare corresponding permissions. This creates a transparency and governance gap: users and the host platform may not realize the skill can read secrets, read/write files, and transmit data externally, increasing the chance of over-privileged or unexpected data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The description frames the skill as simple note read/write, but the documented behavior goes further by supporting article clipping, template rendering, config file persistence, bulk/automatic syncing, and richer conversation processing. That mismatch weakens informed consent and can cause the skill to be invoked in contexts where users do not expect broader local storage or external transmission of content.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code writes a persistent local config file containing connection details and potentially the SiYuan API token, but the skill description only advertises note read/write behavior. Storing secrets in a predictable plaintext path without explicit disclosure or file-permission hardening increases the risk of credential leakage to other local users, tools, or backups.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises conversation sync and note-writing capabilities but does not clearly warn users that chat content may be persistently stored in SiYuan. This creates a real privacy and data-handling risk because users may trigger storage of sensitive prompts, secrets, or personal data without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The sample configuration sets "auto_sync": true by default, encouraging automatic export of conversations to persistent storage without a prominent warning. In an agent skill context, default-on data export is especially risky because users may not realize routine interactions are being continuously copied into notes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The auto-activation examples indicate the skill may trigger on ordinary phrases related to reading or syncing notes, but they do not clearly warn that this can modify notes or persist conversation data. In a conversational agent, implicit activation increases the chance of unintended writes or leakage of private content into the note system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The auto-sync section instructs periodic synchronization of OpenClaw conversations to SiYuan without a strong privacy warning, scoping control, or confirmation step. In practice this can exfiltrate sensitive user prompts, credentials, business data, or private conversation history to another system or persistent store without sufficient user awareness.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The usage guidance encourages document creation and web clipping without clearly warning that these actions modify user data and may store content from external URLs, including potentially sensitive metadata. In a note-taking skill with read/write access, lack of explicit safety and privacy guidance can lead to unintended persistence of private or untrusted content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs a write operation to SiYuan immediately by calling create_document without any interactive confirmation, dry-run mode, or explicit safety gate. In an agent/skill context, this increases the risk of unintended persistent changes to a user's notes, especially if triggered automatically or with loosely matched intent.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script hardcodes an authorization token and automatically sends it in HTTP requests to a network service. Embedding secrets directly in source code is dangerous because the token can be leaked via source control, logs, backups, or reuse by anyone with file access, enabling unauthorized access to the SiYuan API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script performs document-creation operations against a live notebook service without any confirmation prompt, dry-run mode, or warning that user data will be modified. In an agent skill context, silent write operations are more dangerous because they can create or alter notebook content unexpectedly and repeatedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The verification script performs a real write operation by creating a document in the user's SiYuan notebook as part of testing, but it does not present an explicit warning, dry-run mode, or confirmation gate before modifying user data. In an agent skill context, unexpected persistent writes are risky because a caller may assume validation is read-only, leading to unwanted notebook clutter or accidental data modification in a live workspace.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code clips and saves article content into the user's notebook, which is another persistent write side effect performed during verification without explicit upfront consent. In a note-management skill, writing is expected functionality, but doing so automatically during a verification routine increases the risk of silent data creation and may normalize unsafe write behavior in environments where validation is expected to be non-destructive.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The sync command path allows persisting conversation content into SiYuan notes without any explicit confirmation, warning, or sensitivity check at the point of use. In an agent setting, conversations often contain secrets, personal data, or internal context, so one command can unintentionally exfiltrate or permanently store sensitive content outside the immediate session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script collects conversation text from stdin, command-line arguments, or a file and forwards it to the note system via `siyuan.sync_conversation(...)` without any explicit consent prompt, privacy notice, or data sensitivity check. In an agent skill context, conversation content may contain secrets, personal data, or internal prompts, so silently persisting it to an external/local note system increases the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The sync path persistently writes complete conversation content into SiYuan without an explicit confirmation gate at the point of write. In an agent context, conversations may contain credentials, personal data, or proprietary information, so silent persistence meaningfully raises privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script hardcodes an authentication token and sends it in Authorization headers to the API. Hardcoded secrets are dangerous because they can be leaked via source control, logs, screenshots, or redistribution of the skill, allowing unauthorized access to the user's notes service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs write operations that create documents or append content immediately when run, without an explicit confirmation step or clear warning that user data will be modified. In an agent-skill context, this increases the risk of unintended state changes to a user's notebook, especially if invoked automatically or by mistake.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The file hardcodes an authentication token and automatically attaches it to outbound HTTP requests. This exposes a live credential in source code, encourages credential reuse, and makes accidental disclosure via version control, logs, or redistribution likely; additionally, the API URL uses plain HTTP, so the token may be sent unencrypted over the network.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs a real create-document operation against a live note-taking API without an explicit confirmation step or clear warning that user data will be modified. In an agent skill context, this increases the risk of unintended state changes, test artifacts, or destructive behavior being triggered automatically.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill encourages syncing full conversation payloads, including user and assistant message contents, into notes. Because conversation content may contain secrets, personal data, or confidential material, this creates a straightforward data leakage pathway from the chat environment into persistent note storage.

Ssd 3

High
Confidence
95% confidence
Finding
The batch-history and automatic synchronization instructions expand the leakage risk from a single conversation to entire current and historical conversation sets. This materially increases impact because one misconfigured or over-trusting deployment could persist large volumes of sensitive data to local files or a connected SiYuan instance without clear sensitivity boundaries, retention controls, or user approval.

Ssd 3

Medium
Confidence
92% confidence
Finding
The help text and command interface normalize saving the current conversation to notes, but there are no guardrails around secret handling, content minimization, or informed consent. This makes accidental disclosure more likely because users may invoke the feature without understanding that both user and assistant messages can be persisted in external note storage.

Ssd 3

Medium
Confidence
96% confidence
Finding
The sync handler forwards the provided conversation_data directly to the note backend and even constructs full user/assistant message examples when data is absent. In this skill context, the core purpose is note synchronization, so the behavior is expected, but it is still dangerous because it creates a direct persistence path for potentially sensitive natural-language data with no validation, classification, or redaction.

Ssd 3

Medium
Confidence
95% confidence
Finding
The module formats and stores full user and assistant messages in natural-language form, creating durable records of potentially sensitive conversations. Because the content is appended to notes and may then be synced, backed up, or exposed through the note system, any secrets or personal data in chats can persist far beyond the original session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.