Back to skill

Security audit

Supernote Cloud

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for Supernote cloud access, but it deserves Review because it handles account credentials and reusable tokens with weak scoping and transport safeguards.

Install only if you trust the configured Supernote server and intend to give this skill account access. Prefer HTTPS, avoid uploading sensitive files unless intended, remove /tmp/.supernote_token after use, and be cautious with passwords, file paths, filenames, and folder names containing quotes or unusual characters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly documents network access, shell execution, and file upload/write behavior, yet it declares no permissions or trust boundaries. That mismatch can cause the platform or user to underestimate what the skill can do, increasing the chance of unintended data transfer, local file access, or command execution without informed consent. In context, this skill is specifically designed to fetch remote content and upload files to a self-hosted cloud, which makes undeclared capabilities more operationally significant.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill encourages fetching arbitrary URLs and converting/uploading their contents to the user's Supernote cloud, but it does not warn that this transmits data to external sites and may process private or tracking-heavy content. Users may not realize that article fetching can reveal metadata such as IP address to third-party servers and that uploaded content is stored on another service endpoint, even if self-hosted. The context makes this more relevant because URL ingestion is a primary advertised feature, not an edge case.

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 3: Login
  local LOGIN_RESP
  LOGIN_RESP=$(curl -s -X POST \
    -H "Content-Type: application/json" \
    -H "withCredentials: true" \
    "$BASE_URL/api/official/user/account/login/new" \
Confidence
95% confidence
Finding
curl -s -X POST \ -H "Content-Type: application/json" \ -H "withCredentials: true" \ "$BASE_URL/api/official/user/account/login/new" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
local DATA="$2"
  local TOKEN
  TOKEN=$(get_token)
  curl -s -X POST \
    -H "Content-Type: application/json" \
    -H "x-access-token: $TOKEN" \
    -H "withCredentials: true" \
Confidence
93% confidence
Finding
curl -s -X POST \ -H "Content-Type: application/json" \ -H "x-access-token: $TOKEN" \ -H "withCredentials: true" \ "$BASE_URL$ENDPOINT" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 1: Apply for upload
  local APPLY_RESP
  APPLY_RESP=$(curl -s -X POST \
    -H "Content-Type: application/json" \
    -H "x-access-token: $TOKEN" \
    -H "withCredentials: true" \
Confidence
94% confidence
Finding
curl -s -X POST \ -H "Content-Type: application/json" \ -H "x-access-token: $TOKEN" \ -H "withCredentials: true" \ -H "timestamp: $TIMESTAMP" \ -H "nonce: $NONCE" \ "$BASE_URL/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: Upload to OSS
  local OSS_RESP
  OSS_RESP=$(curl -s -X POST \
    -H "x-access-token: $TOKEN" \
    -F "file=@$FILE_PATH" \
    "$UPLOAD_URL")
Confidence
97% confidence
Finding
curl -s -X POST \ -H "x-access-token: $TOKEN" \ -F "file=@$FILE_PATH" \ "$UPLOAD_URL") # Step 3: Finish upload local FINISH_RESP FINISH_RESP=$(curl -s -X POST \ -H "Content-Type

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.