YoudaoNote LLM Wiki

Security checks across malware telemetry and agentic risk

Overview

This is a coherent YoudaoNote wiki helper, but it should be reviewed because it can write persistent cloud notes from broad triggers and has inconsistent consent language for registry rebuilding.

Install only if you are comfortable giving the youdaonote CLI API-key access to your YoudaoNote account and having this skill create/update cloud notes. Use explicit commands where possible, review what will be archived before asking it to save conversation content, avoid ingesting secrets or regulated data, and confirm registry rebuilds or bulk writes before proceeding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill contains contradictory instructions about registry rebuilding: earlier sections require explicit user confirmation before rebuilding the global registry, while the recovery section later says rebuilding happens automatically without user intervention. In practice, this inconsistency can cause an agent implementation to perform an unexpected write to the user's cloud notes account without consent, violating the stated safety boundary around persistence.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The top-level trigger list includes broad, everyday phrases such as '记下来' and '知识查询', which are easy to invoke unintentionally in normal conversation. Because this skill performs persistent write operations and account-wide scans, over-broad activation increases the chance of accidental execution of storage or retrieval actions the user did not intend.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The Archive feature is triggered by vague phrases like '记下来' and '存入知识库', then proceeds to identify and persist recent conversation content. This is dangerous because ordinary conversational wording can cause sensitive or mistaken content from recent turns to be written into a long-lived cloud knowledge base without a precise, bounded selection step.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The Archive workflow explicitly stores recent conversation conclusions into the user's cloud knowledge base, but it lacks a semantic privacy guard for secrets, personal data, credentials, or regulated content that may have appeared in the conversation. Since it targets recent turns automatically, the skill context makes this more dangerous: chat history often contains ad hoc sensitive information that users do not expect to be persisted verbatim.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The Ingest workflow automatically persists pasted text and fetched web content into raw notes and then expands it into multiple derived pages, without a privacy classifier or minimization step. This can store confidential pasted material, internal documents, or third-party sensitive data in plain markdown and amplify exposure by copying it across index, log, and derived notes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal