ClawHub

YNote News

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its news-briefing purpose, but it also exposes broader YNote account operations and runs an unpinned npm fallback package at runtime.

Install only if you are comfortable with the skill reading recent favorite-note excerpts, deriving search topics from them, and optionally running every day. Use a dedicated Perplexity key, review the YNote API permissions, avoid enabling the cron job unless you want recurring access, and treat the `open-websearch@latest` fallback as a supply-chain risk until it is pinned or removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill invokes shell commands (`bash`, `openclaw cron`, `notify`) but does not declare corresponding permissions, creating a capability gap between what the manifest signals and what the skill actually does. This weakens user and platform trust boundaries because a reviewer may underestimate the skill's ability to execute local commands and alter runtime state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a note-based news push feature, but its documented behavior includes external web search across multiple providers and generic MCP invocation capability. That mismatch is dangerous because it obscures data egress and tool reach, potentially causing user note-derived content to be transmitted to third parties under a narrower-sounding description.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Managing cron jobs and sending desktop notifications are persistence and system-interaction capabilities beyond simple content analysis. Even if used for legitimate scheduling, these actions modify user environment behavior and can be abused for unwanted persistence, repeated execution, or spammy notifications if triggered without clear consent.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script accepts an arbitrary tool name and arbitrary JSON arguments from the caller, making it a generic YNote MCP client rather than a narrowly scoped news-push helper. In the context of a skill advertised only for news delivery, this overbroad capability can be abused to invoke unrelated note-management tools and access or modify user data beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implementation and usage comments describe a reusable MCP tool caller, not a dedicated workflow for analyzing favorite notes and pushing related news. This mismatch increases security risk because operators may grant trust or credentials based on the narrow skill description while the code can perform broader actions against the YNote MCP service.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script executes `npx open-websearch@latest`, which fetches and runs the latest remote npm package at runtime. This creates a supply-chain/code-execution risk because behavior can change without review, and any compromise of the package or its dependencies would execute in the agent's environment.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Overly broad trigger phrases such as generic daily briefing or recent-interest wording increase the chance of accidental activation. In this skill, accidental activation is meaningful because it can read recent favorite notes, perform external searches, and potentially schedule recurring actions, causing unintended privacy exposure or system changes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill processes contents of recently favorited notes to derive topics and then uses those topics for external search, but it does not provide clear privacy notice or consent language about possible transmission of note-derived information to third-party providers. Because note content may contain sensitive personal or business data, this omission materially increases the risk of unintended data disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented workflow creates, modifies, and removes cron jobs that change ongoing system behavior, but it does not require explicit confirmation or provide strong warnings about persistence and side effects. This is dangerous because recurring tasks can continue running after a one-time interaction, leading to repeated data access, network activity, or user confusion.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script fetches recent favorite notes, including note content, through a backend call and outputs that content without any inline consent check, warning, or minimization beyond truncation. In this skill context, favorite notes are likely to contain sensitive personal or business information, so silently ingesting and exposing their contents to the agent pipeline increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User-provided query text is sent to the external Perplexity API without any explicit disclosure or consent mechanism in this component. In the context of a note-analysis/news-push skill, queries may be derived from a user's saved notes or interests, which can reveal sensitive personal or business topics to a third party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The helper silently downloads and runs external code through `npx` with no user-facing disclosure or consent. In an agent skill context, this is risky because users may believe they are invoking a local news/search feature while the skill is actually executing unreviewed third-party code.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code sends the user-provided search query to an external search component and likely onward to network search engines, while also passing environment-selected engine configuration. For a note-analysis/news-push skill, this can expose user interests or note-derived topics to third parties without explicit notice, creating a privacy and data-handling risk.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill derives topics from a user's favorited notes and instructs the agent to expose note titles as evidence for why each topic was selected. Revealing specific note titles can leak sensitive interests, projects, health issues, finances, or other personal metadata into the generated output, even when the user only asked for a news briefing.

Ssd 3

Medium
Confidence
94% confidence
Finding
The briefing template explicitly instructs disclosure of which user notes motivated each topic, embedding potentially sensitive personal metadata directly into the response. In context, this is more dangerous because the skill is designed for repeated and scheduled use, so the disclosure pattern could recur automatically and normalize leakage of private note information.

External Transmission

Medium
Category
Data Exfiltration
Content
const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);

try {
  const resp = await fetch('https://api.perplexity.ai/search', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
Confidence
88% confidence
Finding
fetch('https://api.perplexity.ai/search', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);

try {
  const resp = await fetch('https://api.perplexity.ai/search', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
Confidence
88% confidence
Finding
https://api.perplexity.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal