ClawHub

Kg Note Method Obsidian

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Obsidian vault organizer that can change notes and filenames, so it should be used carefully but does not show hidden or malicious behavior.

Install only if you are comfortable letting the skill read and modify your Obsidian vault. Prefer `kg 检查` for preview-before-edit behavior, keep backups or version control, review `_working/` task files before resuming old work, and avoid web/image lookup or enrichment steps for private notes unless you accept that note topics or URLs may be sent externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
HTTP link validation and external network searches extend the skill beyond local note organization into network-capable data retrieval. This increases attack surface through untrusted remote content, metadata leakage about note contents or URLs, and behavior users may not expect from a vault-organizing skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims it will not proactively rewrite notes, yet standard commands immediately modify, rename, create, and delete files without confirmation. This contradiction can cause users to trust the skill as mostly non-destructive when it actually performs direct mutations by default.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Contradictory safety language is dangerous because users and higher-level agents may rely on the reassuring statement and miss that later sections authorize direct mutations. In practice, this undermines informed consent and can lead to unintended data loss or large-scale note changes.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The enrichment workflow instructs the agent to perform general web searches and import external information into notes, which is a materially different capability from organizing an existing local vault. This can introduce hallucinated or low-trust content, leak user interests, and pull in adversarial data from the open web.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-trigger rule for messages beginning with `kg` or paths containing `vault` is broad enough to activate the skill in benign conversational contexts. Because the skill has write/delete behaviors, unintended invocation could cascade into unrequested file operations or planning steps.

Missing User Warnings

High
Confidence
96% confidence
Finding
Normal execution modes authorize direct file modifications, renames, creations, and deletions without a user warning or approval checkpoint. In a note vault, that creates substantial integrity risk: a mistaken classification, duplicate heuristic, or path match can irreversibly alter or remove user data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal