笔记同步助手

Security checks across malware telemetry and agentic risk

Overview

This note-saving helper is coherent and disclosed, but users should be aware that a bare URL may be sent to the external note service.

Install only if you trust notebooksyncer.com with the notes, URLs, article content, and search terms you submit. Prefer explicit commands such as /notehelper link or /notehelper save, confirm ambiguous bare URLs before sending them, and revoke the API key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Automatically routing to `link` when the user sends only a URL can cause unintended exfiltration of private or internal links to a third-party service without explicit consent. This is especially risky because bare URLs may be shared for discussion, debugging, or review, and the skill is instructed to fetch and process them remotely.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Automatically routing to `link` when the user sends only a URL can cause unintended exfiltration of private or internal links to a third-party service without explicit consent. This is especially risky because bare URLs may be shared for discussion, debugging, or review, and the skill is instructed to fetch and process them remotely.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal