ClawHub

Joplin Api

Security checks across malware telemetry and agentic risk

Overview

This Joplin skill mostly does what it advertises, but it can change or permanently delete notes and its export safety boundary is misleading.

Install only if you are comfortable giving the skill broad control over your Joplin data. Avoid permanent delete operations unless you have backups, keep the Joplin token private, and do not rely on the documented export directory restriction until the export script rejects out-of-scope paths instead of merely warning.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header states exports are restricted to the workspace directory, but the implementation only prints a warning when the destination is outside allowed paths and then still writes the file. This creates a misleading security boundary that callers or downstream agents may trust, enabling unintended writes to arbitrary non-blocked locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description says the skill can create, read, update, delete, and search Joplin notes, but it does not prominently warn users that destructive modification and deletion are possible. In practice, a user may invoke the skill assuming it is read-oriented or low-risk, leading to unintended data loss or unauthorized note changes if the skill is misused.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation instructs users to supply an API token but provides no privacy or credential-handling warning. Because the token authorizes access to the user's Joplin data, poor handling could expose it through logs, shell history, screenshots, or copied configuration, enabling unauthorized access to notes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation exposes destructive delete operations, including a permanent-delete option, without an explicit warning, confirmation requirement, or guidance about recovery implications. In an agent/tooling context, this increases the chance that a model or user invokes deletion casually and causes irreversible note loss.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The notebook deletion command is documented without clarifying what happens to contained notes or whether deletion is permanent. In a note-management skill, this can lead to broad accidental data loss because deleting a folder/notebook may affect many notes at once.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script accepts user-specified output paths and proceeds with exports even when the resolved destination is outside the workspace, only warning the user. In an agent/tooling context, this weakens containment and can be abused to write note contents into arbitrary writable locations, potentially exposing sensitive note data or overwriting application files outside the intended workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal