ClawHub

bullet-journal-gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a useful journal generator, but it automatically persists sensitive notes and generates interactive HTML with weak safety controls, so users should review it before installing.

Install only if you are comfortable with personal or work journal content being written in plaintext to multiple local files and backups. Avoid pasting untrusted HTML or script-like text into notes, review generated HTML before opening or syncing it, and consider adding a preview/confirm step plus retention and deletion controls before regular use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises substantial capabilities to read/write files, invoke shell commands, and access network resources, yet it declares no permissions or user-consent boundary. This creates a real security and privacy risk because the agent may persist sensitive journal content, fetch external data, and execute helper scripts without transparent authorization or least-privilege controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond simple note formatting into automatic persistence, backup, weather retrieval, task-state tracking, local data reuse, and interactive HTML generation. That mismatch is dangerous because users may supply sensitive diary or work content believing it is being reformatted only, while the skill silently stores, enriches, and reuses that data across files and sessions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill initializes and uses a WeatherFetcher, introducing outbound network access unrelated to the core advertised function of converting free-form notes into bullet-journal formats. Hidden or undocumented network-capable behavior expands the attack surface, may transmit user context or metadata externally, and violates the principle of least privilege for a journaling/formatting skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This code performs weather retrieval during normal processing, but that behavior is not reflected in the manifest description. Undisclosed external data access is dangerous because users may provide sensitive journal content under the assumption the skill is only doing local formatting, while the runtime behavior includes additional capabilities and trust assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template is not purely presentational: it attaches click handlers that change task state and sends POST requests to a backend update endpoint using task identifiers and the current date. In a skill advertised as generating bullet-journal notes/cards, hidden state-changing behavior expands scope into modifying user data, which can cause unintended task updates and creates a larger attack surface if rendered in a trusted context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that user notes are automatically saved and backed up, but it does not disclose retention, storage location, backup scope, or privacy implications. Because notes may contain sensitive personal, work, or study information, silent persistence and backup can cause unintended data exposure or policy violations, especially on shared devices or synced folders.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The overview says the skill retrieves weather information but does not warn that this may require network access or contacting an external service. Even if the data is low sensitivity, undisclosed outbound requests can leak metadata such as usage time, IP address, locale, or inferred location, which is a transparency and privacy concern.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises automatic saving and backup of generated notes, including daily logs and structured JSON, but provides no warning, consent flow, retention policy, or guidance about sensitive personal/work data being persisted. For a journaling skill that processes potentially private thoughts, schedules, work items, and research notes, silent persistence materially increases privacy and data exposure risk if users assume ephemeral processing.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad everyday expressions such as '记下来', '今天总结', and '待办事项', making accidental invocation likely in normal conversation. In this skill, accidental activation is more dangerous because it can lead to automatic file creation, backup, and Obsidian integration of potentially sensitive personal or work information without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly documents automatic saving and backup of journal content but does not present a prominent user warning or consent flow around persistence. Because the processed content may include personal routines, health, work, and project details, silent storage and backup materially increase confidentiality risk, retention risk, and unintended disclosure risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly states that the skill will automatically generate, save, and back up multiple files, but it does not clearly warn users before execution that local filesystem writes will occur. In an agent-skill context, undocumented write behavior can surprise users, overwrite data, or create privacy and persistence risks, especially because the examples include absolute local paths and integration with Obsidian logs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal