Notex Skills
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: notex-skills Version: 1.3.1 The skill bundle includes a self-update mechanism in `scripts/self_update.py` that downloads and replaces the entire skill's code from a remote registry (mediportal.com.cn), which is a high-risk capability for remote code execution. Additionally, all scripts (e.g., `skills_run.py`, `notebooks_read.py`, `notex_open_link.py`) explicitly disable SSL certificate verification (`verify=False`), creating a significant vulnerability to Man-in-the-Middle (MITM) attacks. While the logic appears aligned with the NoteX service, the combination of auto-updating and weakened transport security is highly risky.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated link or captured log could grant access to the user's NoteX account/session until the token expires or is revoked.
The script appends the access token to a creator task URL and writes that URL to stderr logs. This exposes a bearer credential outside the narrowly documented open-link token flow and conflicts with the skill's stated no-token-in-logs policy.
def _log(msg: str): print(msg, file=sys.stderr, flush=True) ... final_url = f"{task_url}&token={xg_token}" ... _log(f" 查看链接:{final_url}")Do not log token-bearing URLs. Return only the minimum user-facing link, redact tokens in stderr/logs, use short-lived scoped tokens, and keep tokenized links limited to explicitly approved flows.
On an untrusted or intercepted network, a user's token and uploaded content could be observed or redirected without the normal TLS protections.
The script suppresses TLS warnings and disables certificate verification for requests that include the `access-token` header and may upload notebook content. Following redirects while carrying custom auth headers also increases leakage risk.
warnings.filterwarnings("ignore", category=requests.packages.urllib3.exceptions.InsecureRequestWarning) ... response = requests.request(... headers=headers, verify=False, allow_redirects=True, timeout=timeout)Use the default `verify=True` behavior or a pinned CA bundle, stop suppressing certificate warnings, and disable redirects or strip `access-token` on redirects.
A changed or compromised dependency could alter authentication behavior or gain access to tokens used by this skill.
The skill instructs automatic, unpinned installation of an auth dependency and uses `--force`, including a GitHub fallback. Because that dependency supplies access tokens, forced unpinned replacement is a material supply-chain and privilege boundary risk.
如果读取不到(说明未安装),再执行 `npx clawhub@latest install cms-auth-skills --force` ... 再执行 `npx clawhub@latest install https://github.com/spzwin/cms-auth-skills.git --force`
Pin dependency versions or commit hashes, avoid `--force` by default, require explicit user approval before installing or replacing auth skills, and document the trusted source.
Script behavior could change before the user-requested task runs, which reduces predictability unless the update mechanism is reviewed and controlled.
The script executes a self-update helper before performing the requested notebook operation. The behavior may be benign, but automatic update hooks should be clearly documented and bounded.
from self_update import maybe_self_update ... maybe_self_update()
Document what `maybe_self_update()` can modify, make updates opt-in or version-pinned, and show the user before changing skill code.
If used with an over-privileged token or by the wrong user, the skill could reveal sensitive operational or personal information.
The OPS module is purpose-aligned for operations analytics, but it can query individual users, phone-based identity matches, activity timelines, and custom operational data.
拥有专属的底层运维数据查询权限 ... `ontology_findUser` — 精准/模糊找人(支持姓名、ID、手机号,模糊匹配) ... `ontology_getUserActivity` — 用户操作流水时间线 ... `ontology_customQuery` — 受控的自定义查询
Restrict OPS use to authorized accounts, enforce server-side role checks, minimize returned personal data, and audit who uses these queries.
Sensitive questions or results about users, departments, alerts, or platform activity may remain stored after the chat.
OPS query paths and results are persistently recorded for audit. This is understandable for operations, but retention, access control, and redaction are not specified in the artifacts.
我的整个查询轨迹和结果都会被记录到系统的 `ops_agent_traces` 表中,供后台随时审计回溯。
Disclose retention and access policies, redact sensitive fields in traces, and ensure trace data is only accessible to authorized auditors.