ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NoteTaker Pro

v1.0.3

AI-powered note-taking assistant that captures, cleans, tags, organizes, and indexes text, voice, paste, and photo notes for easy search and recall.

0· 69·0 current·0 all-time
by@nollio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (multi-modal note capture, tagging, search, export) match the files and instructions. The skill is instruction-only (no install) and includes one local export script; it references agent-provided tools (image OCR, web_fetch, transcription) which is expected for this purpose. No unrelated environment variables, binaries, or hidden services are requested.
Instruction Scope
SKILL.md instructs the agent to capture and persist all user-provided content (text, voice OCR, photos) into data/notes/, auto-organize, and optionally fetch URLs. It also asks the agent to 'internalize' SKILL.md via the setup prompt. That behavior is consistent with a local note-taking assistant, but it means the skill will store anything a user submits (including potentially sensitive content) and will call web_fetch for pasted URLs — be sure that fetching/processing of remote content is acceptable in your environment.
Install Mechanism
No install spec or external downloads are present; the package is instruction-only and includes a local shell export script. There are no brew/npm/pip downloads or archive extracts. This is the lower-risk install model.
Credentials
The skill declares no required environment variables, no credentials, and no config paths outside its own tree. The README/SECURITY.md mention optional dashboard/sync features (Supabase) but the package does not include active sync credentials or code that performs network exfiltration — the architecture spec shows how an optional paid dashboard might integrate, which would require separate credentials if enabled.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable. It writes notes into a local data/ directory under the agent workspace and includes an export script that enforces output containment inside data/exports. It does not modify other skills or system-wide configs in the provided content.
Scan Findings in Context
[ignore-previous-instructions] expected: The regex detector flagged prompt-injection text; SKILL.md explicitly includes guidance to treat ingested note content as data and to ignore instruction-like strings. This pattern is expected here because the skill documents prompt-injection defenses and even lists 'ignore previous instructions' as an example to be ignored.
Assessment
What to check before installing and using NoteTaker Pro: - Verify the source: the package claims a Codex/OpenAI audit and a vendor (NormieClaw) but the skill's source/homepage are unknown. Treat audit claims as unverified unless you can confirm them from the vendor. - Confirm network/remote behavior: the SKILL.md can call 'web_fetch' for pasted URLs and describes an optional dashboard sync (Supabase). If you enable any dashboard/sync in the future, that will require credentials and network access — review those components separately before enabling. - Inspect included scripts: scripts/export-notes.sh enforces exporting only into data/exports and uses python3 to resolve paths; it appears to restrict writes to the workspace. If you plan to run it, review it yourself and run it under an account that has limited privileges. - Be aware of data stored locally: the agent will capture everything users send (including sensitive data) into data/notes/. Make sure the agent workspace is on a machine/storage you control, set appropriate filesystem permissions (the package recommends chmod 700/600), and have a data deletion/backups plan. - Prompt-install step: the SETUP-PROMPT asks you to paste a setup block into the agent chat to 'install' and internalize instructions. This is how many skills bootstrap, but only paste it into an agent/session you trust; do not paste setup blocks into third-party or public agents. - Audit and logging: if you need higher assurance, (1) run a quick grep for any outbound network calls in the workspace, (2) run the skill in a sandboxed agent session first, and (3) if you enable dashboard sync later, review the specific sync code and credentials required. Given the contents, the package is coherent with its stated purpose and does not request disproportionate privileges, but exercise normal caution about origin, claims of audits, and enabling any optional networked components.
!
SECURITY.md:25
Prompt-injection style instruction pattern detected.
!
SKILL.md:19
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9741wqrgc734xmb2jvz7w6h7x83y8wq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments