Back to skill

Security audit

Write OpenNote

Security checks across malware telemetry and agentic risk

Overview

This OpenNote helper is purpose-aligned, but users should treat its local note history as private.

Install only if you are comfortable giving the skill an OpenNote token with the scopes you choose. Use the minimum token scopes needed, revoke unused tokens, and treat the .opennote cache/history files as private because they may reveal note titles, labels, image names, and short content previews.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The skill explicitly persists labels and note history in local files under `.opennote/`, which extends data retention beyond the stated note-writing purpose. While not inherently malicious, this creates additional storage of user-related metadata and content that may be accessed by other local processes or future runs without the user's clear awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill logs note history locally, including content previews, without surfacing this behavior in the top-level skill description. Because notes may contain sensitive personal information, undisclosed secondary storage increases privacy risk and may violate user expectations around where their content is kept.

Ssd 3

Medium
Confidence
92% confidence
Finding
Persisting note history for later reuse is not strictly necessary to complete a one-time note write request, so it broadens the data footprint unnecessarily. This increases exposure of sensitive user text and metadata if the workspace is shared, backed up, or later inspected.

Ssd 3

Medium
Confidence
97% confidence
Finding
These instructions require storing a `contentPreview` for every created or updated note, guaranteeing that user-generated text is duplicated locally. That duplication increases the blast radius of any local compromise and is especially risky for journal-like content that may contain sensitive personal details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.