append-note

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local note-saving skill that writes user-requested chat content to Markdown files on disk.

Install only if you want an agent-accessible tool that can save selected chat text to local Markdown files. Review the external go-note-sync-mcp repository and built executable before configuring it, and avoid saving passwords, API keys, private messages, or sensitive personal data unless local disk retention is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is explicitly designed to persist chat content to local Markdown files, but the user-facing description and usage guidance do not prominently warn that invoking it writes conversation data to disk. This creates a real privacy and data-handling risk because users may share sensitive information assuming a transient chat interaction, while the skill silently causes durable local storage.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly states that user-provided title and content are written to a local repository path, but it does not warn that potentially sensitive user data will be persisted on disk. In a note-saving skill, users may provide reminders, journal entries, credentials, or other private text, so the lack of clear disclosure can lead to unintended local data retention and privacy exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal