Zettelkasten - 卡片笔记

Security checks across malware telemetry and agentic risk

Overview

The note-taking tool itself is mostly local, but the bundle includes a separate publishing script that can use ClawHub credentials to upload the current folder.

Install only if you are comfortable with local note persistence. Do not run publish.sh unless you intentionally want to publish the package, have reviewed the exact directory contents, and are comfortable using the ClawHub credential stored in ~/.clawhub/credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill is presented as a note-taking utility, yet static analysis indicates file read, file write, and shell capabilities without any declared permissions. Undeclared sensitive capabilities are dangerous because they expand the trust boundary invisibly and can enable local data access or command execution that users and reviewers did not consent to.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: This is a severe description-behavior mismatch: a Zettelkasten note-taking skill should not publish packages, read local credentials from ~/.clawhub/credentials, or call the Clawhub API via curl. Hidden credential access plus outbound network activity strongly suggests possible credential theft or unauthorized publishing, making the behavior far more dangerous in this benign note-taking context.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This script adds software publishing and remote deployment behavior that is not required for a note-taking skill's runtime functionality. Even if intended for maintainer use, it packages the current directory and may upload local contents and metadata to a remote service, increasing the attack surface and creating a supply-chain and data-exfiltration risk if run in the wrong context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README states that the skill will automatically record user ideas, generate derived cards, and save related content, but it does not disclose how user data is stored, retained, or protected. For a note-taking skill that handles potentially sensitive personal thoughts, this omission can lead users to unknowingly expose private information and makes the behavior riskier in contexts involving personal journaling or proprietary ideas.

Missing User Warnings

Low

Confidence: 75% confidence
Finding: The documentation advertises daily review push behavior and possible scheduling, but does not warn users that the skill may create automatic notifications or scheduled actions. While lower severity than data collection issues, undisclosed automated reminders can surprise users, create nuisance behavior, and in some environments leak the existence of private notes through visible notifications.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The trigger phrase 'Record Idea: [Your idea content here]' is broad enough that the skill may activate on ordinary conversation or user-provided text without clear boundaries. Overbroad activation can cause unintended processing, unexpected tool use, or accidental capture of sensitive text, especially when combined with hidden capabilities identified elsewhere.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The script creates a tarball of the entire current directory without clearly warning the user what will be included or that a persistent archive will be written to disk. This can accidentally capture sensitive files, hidden files, or build artifacts and leave them behind for later unintended disclosure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The fallback curl path transmits both local archive contents and a bearer token read from ~/.clawhub/credentials to a remote API, but the script provides only generic status messages and no explicit consent or scope disclosure. Users may unknowingly send proprietary content or misuse privileged credentials, especially because the archive is built from the whole directory.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal