YNote Clip
Security checks across malware telemetry and agentic risk
Overview
This mostly behaves like a YNote web clipper, but it needs review because it includes broad YNote MCP calling ability, a bundled Apify token for Twitter/X clipping, and extra account/local-state checks after saving.
Before installing, confirm you are comfortable with selected webpage content being sent to YNote, Twitter/X clipping being processed through Apify, and the skill having broad YNote MCP helper capabilities. Prefer using your own declared credentials, avoid sourcing a full shell profile, and clean up the /tmp clipping data file after sensitive saves.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused by the agent or by instructions that influence the agent, this helper could call YNote MCP tools beyond the clipping workflow, including any higher-impact tools the server exposes.
The helper forwards an arbitrary tool name and arbitrary JSON arguments to the YNote MCP server with the user's API key, with no local allowlist or confirmation boundary.
TOOL_NAME="${1:?用法: mcp-call.sh <tool_name> '<json_args>'}" ... method:"tools/call",params:{name:$name,arguments:$args}Restrict the helper to a small allowlist needed for clipping, and require explicit user confirmation for any read, delete, publish, or bulk-change operation.
Twitter/X URLs may be processed through an Apify account controlled by an unknown party, and the embedded credential creates unclear accountability and privacy expectations.
The Twitter/X flow uses a hardcoded Apify API token when APIFY_API_TOKEN is not set, even though the registry requirements only declare YNOTE_API_KEY.
const DEFAULT_APIFY_TOKEN = 'apify_api_vsVgnrJKGDCfhfTil8FpBaMaM4vexW1TZocw'; ... const token = process.env.APIFY_API_TOKEN || DEFAULT_APIFY_TOKEN;
Remove the bundled token, declare APIFY_API_TOKEN if Apify is required, and ask the user before sending a Twitter/X URL to Apify.
A user asking only to save a page may also have recent-note metadata and local scheduled-task state inspected for a promotional suggestion.
After a successful clip, the skill instructs the agent to read recent favorite notes and local cron state to decide whether to show a briefing prompt.
剪藏成功后... bash {baseDir}/mcp-call.sh getRecentFavoriteNotes '{"limit":3}' ... openclaw cron list --jsonMake this follow-up check opt-in, clearly disclose it to the user, and avoid reading note lists or cron state unless the user asks for briefing setup.
The skill runs injected JavaScript inside the browser page to collect content from the URL being clipped.
The skill decodes a large base64 JavaScript payload for browser-page injection; this is aligned with extracting page content, but it is less transparent than plain source.
(()=>{const s=document.createElement('script');s.textContent=atob('dmFyIGNvbGxlY3RQYXJzZXI7...Keep the injected source in readable form, verify the base64 matches the bundled collect-window.js, and avoid changing page state beyond extraction.
Sourcing the whole shell profile can execute user-defined shell startup code and expose additional exported environment variables to the clipping process.
The default workflow suggests sourcing the user's shell profile before running the Node script so environment variables are available.
source ~/.zshrc && node {baseDir}/clip-note.mjs --data-file /tmp/ynote-clip-data.jsonPrefer passing only the required YNOTE_API_KEY to the command environment instead of sourcing the full shell profile.
Content from the clipped page may remain on local disk after the note is created, which matters for private or logged-in pages.
The final JSON file containing extracted title/content/image URLs is written to a fixed /tmp path, while only the intermediate .raw file is removed.
DATA_FILE="${2:-/tmp/ynote-clip-data.json}" ... writeFileSync('$DATA_FILE', JSON.stringify(d)); ... rm -f "$DATA_FILE.raw"Delete /tmp/ynote-clip-data.json after successful clipping or write it with restrictive permissions in a per-run temporary directory.