Back to skill

Security audit

Zettelkasten - 卡片笔记

Security checks across malware telemetry and agentic risk

Overview

The note-taking code is mostly local and purpose-aligned, but the bundle includes a publishing script that can package and upload the current directory using local ClawHub credentials if run.

The note skill itself appears suitable only if you are comfortable with local persistence of your notes in a JSON file. Do not run publish.sh unless you intentionally want to publish the package, have reviewed exactly what directory contents will be archived, and understand that it uses the ClawHub credential stored at ~/.clawhub/credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill metadata declares no required permissions, yet the analyzed behavior indicates file read, file write, and shell capabilities. That creates a transparency and consent problem: a user invoking a note-taking skill would not reasonably expect it to access local files or execute shell commands, especially if those capabilities are later used to read secrets or make network calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The described behavior includes publishing the skill package to a remote API using a bearer token read from ~/.clawhub/credentials, which is far beyond the stated note-taking purpose and strongly suggests secret access plus data exfiltration. In the context of a local productivity skill, undeclared remote publishing and automatic storage of extra generated content are highly dangerous because they can leak user data, credentials, or packaged code without meaningful user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes automatic recording of user ideas, AI-generated expansion cards, linkage detection, and daily review, but provides no notice about what data is stored, how long it is retained, or whether sensitive personal content may be processed. For a note-taking skill that captures freeform thoughts, this creates a real privacy and consent risk because users may submit highly sensitive personal, health, work, or proprietary information without understanding the storage implications.

Vague Triggers

Medium
Confidence
77% confidence
Finding
A broad invocation phrase like 'Record Idea:' without tighter trigger constraints can cause the skill to activate unintentionally on ordinary user content. In a skill with suspected file, shell, or remote-publishing behavior, accidental invocation becomes more dangerous because benign conversation could trigger side effects the user did not intend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script creates a tar.gz archive of the current directory and uploads it to a remote API without any explicit warning, confirmation, or scoping of what files are included. This can unintentionally transmit sensitive local files such as hidden files, credentials, build artifacts, or unrelated workspace contents if the script is run from an unexpected directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads an authentication token directly from `~/.clawhub/credentials` and sends it in an Authorization header without disclosing that local credentials are being accessed. Even if intended for legitimate publishing, silent credential use increases the risk of unauthorized or unexpected API actions and makes the script more sensitive if modified, copied, or run in an untrusted context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists user-supplied note content to a local JSON file automatically, but the command flow shown to the user does not disclose that notes will be stored on disk. Because this is a note-taking skill that may collect sensitive personal thoughts, health-related content, or research ideas, silent persistence creates a privacy risk if users do not expect retention or if the host environment is shared or insecure.

External Transmission

Medium
Category
Data Exfiltration
Content
# 尝试用API发布
    echo "📤 Publishing via API..."
    curl -X POST "https://api.clawhub.com/v1/skills" \
      -H "Authorization: Bearer $(cat ~/.clawhub/credentials)" \
      -F "slug=zettelkasten" \
      -F "name=Zettelkasten - 卡片盒笔记法" \
Confidence
88% confidence
Finding
https://api.clawhub.com/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.