ClawHub

Siyuan Note

Security checks across malware telemetry and agentic risk

Overview

This is a real local SiYuan Note helper, but it gives an agent broad access to search, export, modify, delete, and SQL-query private notes without clear guardrails.

Install only if you intend to let the agent operate on your local SiYuan workspace. Provide the token only for deliberate SiYuan tasks, review any SQL before it runs, and require explicit approval for creating, updating, deleting, exporting, or sending note data outside the local machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs the agent to use network access and an API token, but it does not declare permissions or scope those capabilities. This creates a mismatch between what the skill can induce the agent to do and what reviewers or runtime policy may expect, increasing the risk of silent local-data access or modification.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include broad everyday requests such as creating documents, searching notes, and querying databases, which could cause the skill to activate in contexts where the user did not intend SiYuan local-note access. Unintended activation is risky here because the skill supports both sensitive note retrieval and modification of local content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description advertises creation and modification of local notes without warning that it can alter user data. A user may invoke the skill expecting informational help, while the skill is capable of persistent local changes such as creating documents or appending blocks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill exposes arbitrary SQL queries over the notes database without warning that queries may reveal sensitive note contents, metadata, and document structure. Because SQL is a powerful primitive, broad or user-influenced statements could enumerate or extract far more private local information than a user expects from a simple search request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents a network proxy capability that can send arbitrary requests to external URLs, which expands the skill from purely local note operations into outbound network access. In an agent context, this is dangerous because note contents, metadata, tokens, or other local data could be transmitted off-host if the capability is exposed without explicit restrictions, user consent, and destination validation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal