Security audit

话袋笔记 Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Huadai notes integration that uses OAuth and an API key to create, update, and search notes, with no artifact-backed evidence of hidden or unrelated behavior.

Install only if you trust Huadai with the notes you save or search through this skill. Expect OAuth authorization, local storage of HUADAI_API_KEY and HUADAI_USER_UUID, and API calls to openapi.ihuadai.cn. Keep session logs and OpenClaw config private, and use explicit commands for save/update/search if you want tighter control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill uses sensitive capabilities (environment variables and outbound network access) but does not declare corresponding permissions in `requires`, which weakens reviewability and runtime governance. This can cause the agent platform or user to underestimate what the skill can access, especially since it handles API keys and makes authenticated requests to a third-party service.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The description presents the skill as a note create/update/search tool, but the file also defines OAuth device-flow behavior that obtains and processes authentication credentials such as `api_key` and `unique_id/user_uuid`. This mismatch is security-relevant because users and reviewers may invoke or approve the skill without realizing it can initiate authorization flows and handle credentials, increasing phishing, credential exposure, and over-privileged use risks.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The natural-language triggers for saving, updating, and searching notes are broad everyday phrases, which increases the chance of accidental invocation. In this context, accidental activation can lead to unintended transmission of user content to the external note service or unintended modification/search of private notes.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The configuration/auth trigger language is ambiguous and support-like, making it easier for unrelated help requests to activate OAuth or configuration guidance. Because this skill can initiate authorization-related flows and discuss key setup, mistaken activation could expose sensitive setup details or steer users into credential handling when they did not intend to authorize the integration.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation instructs clients to send a persistent user identifier (`USER-UUID`) together with an API key to an external service, but it does not include any warning about handling these values as sensitive credentials or about the privacy implications of transmitting user-linked note data off-platform. In a skill context that manages personal notes, this omission increases the risk of accidental credential leakage, cross-user data mix-ups, or uninformed transmission of private content to a third party.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill advertises very broad, everyday-language triggers like '记下来/存到笔记', which can cause over-invocation when a user casually mentions saving or remembering something. In a note-taking skill, this increases the chance of unintentionally sending sensitive user content to the external notes backend without sufficiently clear user intent or confirmation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.