ClawHub

YoudaoNote Clip

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Youdao web-clipper, but it needs review because it can capture sensitive chat pages and uses an under-disclosed Apify path for Twitter/X clipping.

Install only if you are comfortable with a skill that can read rendered browser page content and save it to Youdao Note. Avoid using it on AI chat sessions, private dashboards, or pages containing secrets unless you have reviewed what will be captured. For Twitter/X clipping, be aware that the target URL is sent to Apify and requires an Apify token that is not declared in the manifest.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
After clipping, the skill optionally queries recent favorite notes and inspects cron configuration for a separate 'news push' feature, which exceeds the minimum scope needed to save a webpage. Even though framed as optional UX guidance, it introduces access to unrelated user data and system configuration, increasing privacy exposure and creating function creep beyond the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to be a web-clipping utility, but it also exposes a generic create-note mode that can write arbitrary content. This expands capability beyond the declared purpose and could be abused by an agent or prompt chain to exfiltrate or persist unrelated sensitive data into the user's note account.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Support for arbitrary folder-targeted note creation increases the blast radius of the skill beyond simple page clipping by allowing placement of content anywhere in the user's note hierarchy. In an agent setting, this can be leveraged to store attacker-influenced content in sensitive or trusted folders, making misuse stealthier and harder for the user to notice.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a generic web clipping tool, but the code explicitly supports extracting and formatting AI chat transcripts from multiple chatbot services. That broadens collection from page content to highly sensitive user-generated prompts and responses, which can include secrets, personal data, or proprietary information, making the behavior materially more privacy-invasive than the stated purpose suggests.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The extractors for Deepseek, Yuanbao, Tongyi, Kimi, Doubao, and Yiyan iterate through conversation DOM nodes and capture full prompt/response histories. This is dangerous because chat histories often contain credentials, internal business data, personal information, and other sensitive context that users may not expect a 'save webpage' skill to harvest in full.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file's actual behavior is specialized Twitter/X scraping through Apify, which materially exceeds and diverges from the manifest's stated purpose of clipping arbitrary webpages to Youdao Note. This kind of capability mismatch is dangerous because users and orchestrators may grant permissions or trust based on the manifest, while the code silently sends selected content to a third-party scraping service.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script requires an Apify API token and depends on an external scraping service, a privileged capability not justified by the declared webpage-clipping purpose. In skill ecosystems, hidden credential use and undisclosed third-party dependencies expand the attack surface and can expose user activity, URLs, and account-linked API usage to external parties.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases '剪藏网页、保存网页、收藏网页' are broad, common expressions that may match ordinary user requests and cause unintended invocation of a skill that performs external content retrieval and writes data into a note account. In this context, accidental activation is more concerning because the skill can fetch arbitrary URLs, use browser extraction, and save content using an API key-backed integration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
When debug mode is enabled, the code logs parameters and writes note content previews to disk under a debug directory. This creates a local confidentiality risk because sensitive page content, URLs, and metadata may persist on disk without strong safeguards, retention controls, or a prominent user-facing warning at the moment data is collected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script passes the API key via command-line arguments to node, which can expose the secret to other local users or monitoring tools through process listings, shell history, or diagnostic logs. Secrets should not be propagated in argv because command-line arguments are routinely observable on multi-user systems and in crash/telemetry data.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script writes extracted page data to a persistent file, with a default path under /tmp, and also creates an intermediate raw file. This can expose sensitive clipped content to other local processes or later users on shared systems, especially if the temp directory has weak permissions or cleanup fails.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When debug mode is enabled, the script stores the visited URL and debug artifacts on disk, increasing data retention beyond the main clipping output. URLs often contain sensitive query parameters, tokens, document identifiers, or private paths, so logging them can leak confidential information long after the task completes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code decodes and injects a base64-encoded script into the page, then executes it in the page context and uses it to parse and extract page content. Even if this is intended functionality for a web-clipping skill, it materially increases trust requirements because hidden bundled code executes with access to the full DOM and can collect sensitive on-page data without any user-visible disclosure or consent mechanism in this file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code collects sensitive chat and page content directly from the DOM with no in-code indication of user-facing notice, consent, or just-in-time warning. Silent collection increases the risk of privacy violations and accidental exfiltration because users may believe they are saving a visible article, not exporting an entire conversation transcript.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When parsing fails or no site-specific rule matches, the code falls back to getMainContent() or even document.body.outerHTML/document.body.innerHTML, which can capture far more content than needed. Without a warning or review step, this may sweep up unrelated visible content, embedded data, or sensitive page material beyond the user's intended clipping target.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the target Twitter/X URL and API token to Apify and later stores fetched content in local files and cache, but there is no explicit runtime warning or consent mechanism. This creates a privacy and data-governance risk because user-requested content and associated access patterns are disclosed to a third party and retained locally without a clear user-facing notice.

Ssd 3

High
Confidence
96% confidence
Finding
The parser includes dedicated handlers for multiple third-party AI chat services and packages entire conversations, including user prompts, into exportable content. In the context of a web clipping skill, this creates a sensitive-data collection capability that is broader than necessary and could be abused to harvest confidential conversations from AI tools.

Ssd 3

High
Confidence
97% confidence
Finding
The Deepseek extractor walks message nodes, records user questions and assistant answers, and preserves assistant HTML for export. That creates a reusable transcript of potentially sensitive prompts and responses, which may include personal, financial, credential, or proprietary content not appropriate for silent collection.

Ssd 3

High
Confidence
97% confidence
Finding
The Yuanbao extractor captures both human-entered chat text and AI output into a structured log. This is risky because it turns ephemeral on-page conversations into persistent exported records without evidence of an explicit warning, increasing privacy and data-handling exposure.

Ssd 3

High
Confidence
96% confidence
Finding
The Tongyi extractor preserves user questions alongside AI answers by traversing question and answer DOM items. This is dangerous because it captures conversational context that may contain sensitive business or personal data, far beyond ordinary article clipping behavior.

Ssd 3

High
Confidence
96% confidence
Finding
The Kimi extractor logs user messages, assistant responses, and auxiliary research content into an exportable structure. Capturing both prompt history and generated content can expose confidential instructions, uploaded-data-derived outputs, and other sensitive session material if saved or transmitted without strong consent controls.

Ssd 3

High
Confidence
96% confidence
Finding
The Doubao extractor records sent user messages and received assistant message HTML from the conversation interface. This converts potentially sensitive interactive content into a persistent export, and the HTML-based capture may include more content than intended from the rendered response area.

Ssd 3

High
Confidence
96% confidence
Finding
The Yiyan extractor assembles user questions and assistant answers into a dialogue history object for export. In a clipping skill context, that is a significant privacy-sensitive capability because it preserves raw conversation content that users may not expect to be collected wholesale.

Ssd 3

High
Confidence
95% confidence
Finding
The formatter converts captured chat logs into an exportable HTML document containing raw user questions, answers, titles, and metadata such as source link and save time. This makes sensitive conversational data easy to persist, sync, or share, amplifying the consequences of over-collection from AI chat pages.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal