RemNote Notes

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed RemNote integration that can read and, with explicit confirmation, modify notes; its broader recovery steps are visible and tied to reconnecting RemNote.

Install only if you trust remnote-mcp-server and the RemNote bridge with your RemNote content. Use normal read-only commands freely, type confirm write only after checking the exact note change, and be aware troubleshooting may start or restart the MCP server or the OpenClaw-managed browser profile to reconnect RemNote.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The failure-handling section authorizes actions outside the skill’s declared purpose, including starting local services and manipulating browser state. Expanding from RemNote note operations into host and browser recovery increases the attack surface and can let a note-management request trigger unrelated system actions the user did not intend.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly includes browser stop/start/open operations even though its stated purpose is RemNote note management. Browser lifecycle control is a materially broader capability than reading or writing notes, and if invoked automatically during failure recovery it could disrupt user sessions, alter browser state, or be abused as a pivot into unrelated web actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal