ClawHub

Clawnoter Obsidian

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: saves web articles into an Obsidian vault, with disclosed local file writes and network fetching.

Install only if you are comfortable with the skill scanning common local folders for Obsidian vaults and sending saved article URLs to Jina.ai. Avoid using it for private, tokenized, intranet, login-only, or sensitive links unless you accept that disclosure risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code automatically reads Obsidian's app metadata and recursively scans common user directories to discover vault paths without requiring the user to explicitly provide them. In a skill whose purpose is to save content into a local vault, this broad local enumeration is privacy-invasive because it reveals filesystem structure and note-storage locations unrelated to the immediate action, and it normalizes access to user data beyond strict necessity.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script sends the user-supplied article URL to the third-party service r.jina.ai to obtain converted Markdown. This expands data exposure beyond the stated local-vault-saving purpose: URLs, potentially sensitive internal links, and associated access patterns are disclosed to an external service without clear consent or restriction, which is especially risky if users save private, intranet, or tokenized pages.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly documents that the primary fetch path sends user-supplied URLs to `https://r.jina.ai/<URL>`, which means the target URL and potentially fetched page content are disclosed to a third-party service. Because the skill is meant to save arbitrary web articles into a local knowledge vault, users may reasonably use it on sensitive, private, or tokenized links; without a clear privacy warning, they may unknowingly expose confidential URLs or content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill normally sends the target URL to `https://r.jina.ai/<URL>` and may cause page content to transit through or be processed by that external service, yet the user-facing description does not prominently warn about this. For private, sensitive, or internal URLs, that creates a meaningful confidentiality risk because users may believe processing is local-only.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal