Knowledge Graph Notes

Security checks across malware telemetry and agentic risk

Overview

This note-linking skill works locally for its stated purpose, but users should review it because it can edit original notes and persist note-relationship metadata without strong controls.

Install only if you are comfortable letting it scan the selected notes directory and potentially modify note files. Run it first on a copied or version-controlled vault, prefer JSON/Mermaid output for review, pass the exact notes directory explicitly, and inspect or delete the temp graph cache if note names or topics are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The skill claims to create bidirectional links between related notes, but the body describes significantly broader behavior: full-vault indexing, semantic analysis, graph construction, caching, querying, exporting, and automatic note modification. This mismatch is dangerous because users may authorize a seemingly narrow note-linking skill without realizing it can analyze and persist metadata for an entire note corpus and modify files automatically.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script is presented as an exporter, but in Obsidian mode it mutates source notes by appending `## Related` links directly into files under the notes directory. This violates least surprise and can cause unintended persistent content changes, especially because link targets and reasons come from cached graph data in a temp file rather than being regenerated and validated at export time.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The top-level documentation describes the file as an export utility, but the implementation includes source-file modification behavior. This documentation/behavior mismatch is security-relevant because users and calling agents may invoke the script expecting a safe read-only export, leading to unauthorized or accidental integrity changes in note content.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The README suggests very broad natural-language invocation phrases like "link my notes" and "find connections in my notes," which can cause the skill to activate in contexts the user did not intend. Because this skill scans directories of notes and may perform auto-linking behavior, accidental triggering could expose private note contents to processing or lead to unintended file modifications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README states that notes scoring above a threshold are "safe to add [[wikilink]] automatically" and that the tool writes new links in Obsidian format, but it does not prominently warn users that their files may be modified. In a note-taking context, silent or poorly disclosed automatic edits can corrupt content, create misleading links, or alter large personal knowledge bases without informed consent.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad conversational requests like 'show me all notes about Y' and 'I have notes scattered, can you organize them,' which could cause unintended invocation in normal discussion. In this skill's context, accidental triggering is more dangerous because invocation may scan a notes directory, build relationship graphs, and potentially modify note files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill omits a prominent warning that it may auto-insert `[[wikilink]]` links into user notes. This is risky because silent or poorly disclosed content modification can alter knowledge bases, create incorrect backlinks, and damage note integrity, especially when driven by heuristic similarity rather than deterministic user-selected edits.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Obsidian export silently appends content to note files if a computed link is not already present, without user confirmation or dry-run behavior. In this skill context, notes are user knowledge artifacts, so silent modification is particularly dangerous because it can corrupt trusted documentation, introduce misleading links, and make downstream tools consume altered source data.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script persists derived note metadata and relationship data to a predictable temp-file location outside the notes directory without notice or permission. On multi-user systems or systems with weak temp-directory hygiene, this can expose sensitive information about note contents, filenames, topics, and relationships to other local users or processes.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Obsidian Compatibility - Read existing `[[wikilink]]` syntax - Write new links in Obsidian format - Respect `![[embed]]` and `![[callout]]` patterns ### Performance
Confidence: 84% confidence
Finding: Write new links in Obsidian format - Respect `![[embed]]` and `![[callout]]` patterns ### Performance - Index vault once, cache in `~/.qclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal