ClawHub

Joplin Notes

Security checks across malware telemetry and agentic risk

Overview

This is a real Joplin WebDAV notes integration, but it can read and overwrite synced notes using stored credentials with limited safeguards.

Review before installing. Use only with a dedicated, least-privilege WebDAV account and an HTTPS Joplin sync URL you personally set. Keep backups before enabling write operations, verify note and notebook IDs before updates, and avoid letting an agent run the write scripts automatically on sensitive notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Tainted flow: 'command' from os.getenv (line 53, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"curl", "-s", "-u", f"{JOPLIN_USERNAME}:{password}",
        "-X", "PROPFIND", "--header", "Depth: infinity", url
    ]
    result = subprocess.run(command, capture_output=True, text=True, check=True)
    
    # Extract path part of the URL for the regex
    url_path = urlparse(url).path
Confidence
88% confidence
Finding
result = subprocess.run(command, capture_output=True, text=True, check=True)

Tainted flow: 'command' from os.getenv (line 53, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
url += "/"
        
    command = ["curl", "-s", "-u", f"{JOPLIN_USERNAME}:{password}", f"{url}{filename}"]
    result = subprocess.run(command, capture_output=True, text=True, check=True)
    return result.stdout

def parse_note_data(content):
Confidence
84% confidence
Finding
result = subprocess.run(command, capture_output=True, text=True, check=True)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill description highlights creation and update operations for notes and notebooks without warning that these actions alter persistent user data. This increases the risk of unintended destructive or integrity-impacting actions by an agent or user who may assume the skill is informational rather than state-changing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs use of a WebDAV password via environment variables but provides no guidance on secret handling, logging avoidance, or scope limitation. In practice, agent tooling may expose environment variables through subprocesses, debug output, or misconfigured execution contexts, risking credential disclosure and downstream unauthorized access to the user's Joplin data store.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script writes notebook data to a predictable path in /tmp, which can expose sensitive content and create race-condition or symlink risks on multi-user systems. Because the filename is constant, another local user or process could pre-create, replace, or observe the file before deletion.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script automatically performs an authenticated network request using credentials from environment variables without any user-facing notice, confirmation, or audit signal. In an agent skill context, this can cause silent access to a user's remote Joplin data store, which increases the risk of unintended data exposure or actions taken without informed user awareness.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script reads a password from an environment variable and later uses it for authenticated upload, but it provides no disclosure or consent boundary to the user at execution time. In an agent skill context, this can cause silent use of stored credentials to send data to a remote service, which increases the chance of unintended data transfer or misuse of existing secrets.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code uploads local file contents to the configured WebDAV endpoint without any user-visible warning that note data will leave the local environment. In a notes-management skill, network transmission is expected functionally, but the lack of explicit disclosure is still security-relevant because notes may contain sensitive personal or business information and the destination is controlled by configuration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal