Back to skill
Skillv1.0.3
ClawScan security
Trilium · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 6:46 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's behavior (Trilium ETAPI access) matches its name, but the SKILL.md requires an ETAPI token and server URL that are not declared in the registry metadata—an incoherence that users should understand before installing.
- Guidance
- This skill legitimately needs two pieces of information to work: TRILIUM_ETAPI_TOKEN (an ETAPI token you generate in Trilium) and TRILIUM_SERVER_URL (the Trilium server address). Before installing: (1) be aware the registry metadata does not list these required env vars or a primary credential — you must provide them manually. (2) The ETAPI token grants API-level access to all notes reachable by that token; only provide it if you trust the skill and the agent's ability to run it. Prefer generating a scoped or ephemeral token if Trilium supports it, and run the Trilium server on a local or private network if you want to keep data internal. (3) Because the skill can be invoked autonomously, any stored token could be used without an extra prompt — consider limiting network access or using a token that has limited permissions. (4) If you need more assurance, request the publisher add the required env vars to the registry metadata and/or include an explicit statement of exactly which ETAPI endpoints the skill will call and when.
Review Dimensions
- Purpose & Capability
- noteThe skill is clearly for interacting with Trilium Notes via its ETAPI (reading, searching, creating notes). That capability aligns with the name and included reference doc. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly requires TRILIUM_ETAPI_TOKEN and TRILIUM_SERVER_URL — a discrepancy between claimed metadata and actual instructions.
- Instruction Scope
- okThe runtime instructions are narrowly scoped to calling the Trilium ETAPI (authenticate with a token, use the server URL, perform GET/POST/PUT/DELETE/search). The SKILL.md does not instruct reading arbitrary local files, scanning other credentials, or sending data to unrelated endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk or fetched at install time via an external URL.
- Credentials
- concernThe SKILL.md rightly requires TRILIUM_ETAPI_TOKEN and TRILIUM_SERVER_URL (both are appropriate for Trilium access), but the registry metadata declares no required env vars or primary credential. That mismatch is concerning because the platform metadata will not surface or enforce the secret requirement and the token grants full API access to the user's notes.
- Persistence & Privilege
- okThe skill does not request always:true, does not claim to modify other skills or system settings, and is not asking for persistent installation privileges. Autonomous invocation is enabled by default (normal), so any provided token could be used by the agent when the skill runs.