ClawHub

Google Keep Skill

Security checks across malware telemetry and agentic risk

Overview

This Google Keep skill is purpose-aligned, but it needs review because it stores reusable Google session material and can read, update, archive, or trash notes through a persistent logged-in browser session.

Install only if you are comfortable giving the agent persistent access to your Google Keep account. Use a dedicated Google account or Chrome profile where possible, confirm exact note titles before update/delete/archive actions, protect ~/.config/google-keep-skill, and run logout when you no longer need the saved session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to execute shell commands and use a script that reads and writes local state, but it declares no permissions or equivalent capability boundaries. That mismatch can cause the platform or user to underestimate what the skill can do, increasing the chance of unsafe invocation and unauthorized file or shell access through the agent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill description presents a simple Google Keep integration, but the documented behavior also includes browser-based login, session persistence, profile storage, checklist-specific behavior, archive operations, and local credential/session handling. This broader behavior increases the attack surface and can mislead reviewers or users about the sensitivity of the skill, especially because persistent authenticated browser state is involved.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase 'Manage notes' is broad enough to match many general user requests unrelated to Google Keep. Overbroad activation can cause the agent to invoke this skill in the wrong context, leading to unintended access to a logged-in Google account and accidental modification, deletion, or disclosure of notes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly extracts authenticated Google session cookies and persists them to disk in JSON, creating a reusable bearer-token store outside the browser's normal protections. If the local account, config directory, backups, logs, or another skill/process is compromised, an attacker may be able to replay the session and access the user's Google Keep account without re-authentication.

Session Persistence

Medium
Category
Rogue Agent
Content
🗒️ **Full CRUD Operations**: Create, read, update, delete, and archive notes — text or list type.

📋 **List Support**: Create checklist-style notes with individual items, each properly injected as separate list entries.

🔐 **Persistent Session**: Login once manually; the session is saved and reused across all headless executions.
Confidence
82% confidence
Finding
Create checklist-style notes with individual items, each properly injected as separate list entries. 🔐 **Persistent Session**: Login once manually; the session is saved and reused across all headless

Session Persistence

Medium
Category
Rogue Agent
Content
version: 1.0.0
author: Ricardo Reichert
read_when:
  - Create notes in Google Keep
  - List notes from Google Keep
  - Update notes in Google Keep
  - Delete notes from Google Keep
Confidence
89% confidence
Finding
Create notes in Google Keep - List notes from Google Keep - Update notes in Google Keep - Delete notes from Google Keep - Archive notes in Google Keep - Manage notes --- # Google Keep Skill

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal