ClawHub

Get笔记同步

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised Get Notes sync, but it stores reusable account credentials locally and includes a deletion helper without sufficient safeguards.

Install only if you are comfortable giving this skill access to your biji.com notes and storing reusable login/session data on disk. Use a private, non-shared, non-repository output directory, add the generated .token-cache.json, .auth-state.json, and .sync-state.json files to ignore rules yourself, and avoid running dedupe.js unless you have a backup and have reviewed what it will delete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes automatic synchronization to local Markdown and persistent storage of authentication artifacts such as JWT, refresh_token, and browser auth state, but it does not clearly warn users that sensitive note content and credential material will be written to disk. This creates a real security risk because users may run the tool on shared, backed-up, or insecure systems without understanding that transcripts and reusable auth tokens may remain locally accessible.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that JWT, refresh_token, and browser auth state are cached locally, but it does not warn users that these are sensitive credentials that may grant continued access to their biji.com account. If these files are stored insecurely, synced to cloud drives, committed to source control, or read by other local users/processes, an attacker could reuse them to access private notes.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill exports synced note summaries and full transcripts into a user-specified local directory without an explicit privacy warning. Because these notes may contain sensitive personal, business, or meeting content, writing them into an arbitrary folder can cause unintended exposure through shared directories, backups, indexing, or version control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persistently stores bearer tokens, refresh tokens, and expiry metadata in plaintext local files under the project directory. Any other local user, process, malware, backup/sync tool, or accidental repository inclusion could recover long-lived credentials and reuse them to access the victim's notes account without re-authentication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script saves Playwright browser storage state to disk, which can include authentication artifacts such as tokens and session state, again in a local project file. Because this state originates from an interactive browser login, users may not realize they are creating a reusable authentication cache that could be stolen or reused later by anyone with filesystem access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script permanently deletes files with fs.unlinkSync based solely on duplicate note_id detection, with no confirmation prompt, dry-run mode, backup, or trash/recycle-bin behavior. In this skill's context, the target directory is user-controlled via OUTPUT_DIR and the logic assumes the largest file is the correct one, so mistakes in parsing or operator error can cause irreversible loss of legitimate notes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script extracts bearer tokens and refresh-token metadata from browser localStorage and writes them to disk in .token-cache.json and .auth-state.json. Persisting live authentication material to local files increases the risk of account compromise if the host is multi-user, malware is present, backups are exposed, or the files are accidentally committed or shared; the skill context makes this more sensitive because the code is explicitly automating login reuse without fresh user interaction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal