Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
notetaker-pro
v1.0.0AI note-taking assistant that captures, cleans, organizes, tags, and indexes text, voice, paste, and photo inputs for instant, searchable notes.
⭐ 0· 36·0 current·0 all-time
by@nollio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the files and instructions: multi-modal note capture, auto-organization, tagging, export. No unrelated credentials or binaries are requested. Dashboard/sync components refer to optional integrations (Supabase/dashboard) but those require additional configuration not declared as required environment variables.
Instruction Scope
SKILL.md stays within note-taking scope for most operations, but allows 'web_fetch' of user-provided URLs without a stated allowlist or host-scheme restrictions (SSRF risk). The SETUP-PROMPT copies files using broad find/cp commands which can inadvertently copy attacker-controlled files if run from an untrusted working directory. The skill does explicitly include prompt-injection defense language (treat ingested content as data), which is good, but the instructions still contain an automated web fetch path and broad file-copy steps that expand the agent's reach beyond local note processing.
Install Mechanism
No install spec (instruction-only) and only one included shell utility (export-notes.sh). There are no remote downloads or third-party package installs in the package. The export script appears to include filesystem safety checks (realpath normalization, category sanitization) and uses standard patterns.
Credentials
The package requests no environment variables or credentials. However the dashboard/dashboard-kit documentation and sync architecture describe upserting to Supabase and Next.js API endpoints — those operations would require credentials if the optional dashboard/sync features are enabled. The base skill itself does not request those creds, but enabling the dashboard later will require additional secrets and network access.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. The setup prompt instructs copying skill files into config and scripts directories and creating data/ directories inside the user's workspace, which is normal for a skill that stores local data. It does not modify other skills or system-wide settings.
Scan Findings in Context
[prompt-injection-pattern-ignore-previous-instructions] expected: The SKILL.md explicitly references strings like "Ignore previous instructions" as examples of malicious note content to be ignored; the scanner flagged the pattern but it appears inside a defensive prompt-injection mitigation section rather than as an instruction to ignore agent instructions.
[unrestricted-url-fetch-ssrf] unexpected: The CODEX audit and SKILL.md allow fetching user-provided URLs (web_fetch) without documented scheme/host restrictions; this is not necessary for basic note capture and poses SSRF/internal network access risk. The audit recommended adding URL safety policy (https-only, block private/loopback, require explicit user confirmation).
[setup-copy-broad-find-cp] unexpected: SETUP-PROMPT uses broad `find ... -exec cp -r` patterns which can match unintended files in large or attacker-controlled trees. The audit marked this a Medium issue and suggested limiting to a single trusted skill root and failing closed on >1 matches.
[export-script-path-safety] expected: The exported shell script previously had a path-traversal issue that the audit reports as fixed. The script now performs realpath normalization and boundary checks for export directories; this behavior is expected for an export utility and the fix is appropriate.
What to consider before installing
This package looks like a legitimate note-taking skill, but do not run its setup blindly. Before installing: 1) Inspect SETUP-PROMPT commands and avoid pasting the whole block directly into an agent — run the mkdir/chmod/cp steps yourself from a trusted shell and verify the paths the find commands match. 2) Disable or restrict automatic URL fetching: require explicit confirmation before the agent fetches any user-supplied URL, add an allowlist, and block loopback/private addresses to avoid SSRF. 3) Confirm you are comfortable granting the agent network access at all (the skill can operate locally; networked dashboard/sync features are optional and will require separate credentials). 4) Review scripts/export-notes.sh and run it in a controlled environment (it contains safety checks but should be audited in your environment). 5) Remember the SKILL.md includes prompt-injection defense wording (it intentionally contains phrases like 'ignore previous instructions' to teach the agent to ignore such content) — that flagged scanners but is defensive. If you need higher assurance, consider running the agent with limited network permissions or manually implementing the recommended URL safety policy and tightening the setup copy workflow before enabling the skill.SECURITY.md:25
Prompt-injection style instruction pattern detected.
SKILL.md:19
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk974xxjjtb2bp6epgxc9b6stm983ye7x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.