Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

yinxiang-notes

v1.0.0

印象笔记（中国版）集成 skill。使用 Developer Token 在印象笔记中创建、整理和搜索笔记。支持笔记本列表、创建笔记、更新笔记内容/标签、移动笔记到废纸篓、查看/清空废纸篓、搜索内容、增量同步到 Obsidian vault。适用于使用 app.yinxiang.com 的用户。

⭐ 0· 64·1 current·1 all-time

by@suepradun

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The scripts implement Evernote (印象笔记) operations and an Obsidian sync as described — creating, updating, deleting, searching notes and syncing to a local vault. However the registry metadata claims no required environment variables or primary credential even though every script expects an EVERNOTE_TOKEN (and a NoteStore URL) provided via a .env file. That metadata omission is an incoherence: the skill does require sensitive credentials to function.

Instruction Scope

SKILL.md and included scripts operate within the stated domain (Evernote API and local Obsidian vault). But the code: (1) looks for a .env file by traversing up from scripts/ (may read tokens from workspace root), (2) contains a get_note_enml.py with a hard-coded TARGET_GUID that will fetch a specific note and write it to disk, and (3) writes files into a hard-coded VAULT_PATH (Windows path) when syncing. Those behaviors expand the runtime scope (reading .env, writing to arbitrary local paths, saving note contents to disk) and include non-obvious defaults. Also some scripts print the token prefix to stdout/logs and one script prints the token variable (list_tags.py), which risks leaking credentials in logs.

ℹ

Install Mechanism

There is no automated install spec (instruction-only with Python scripts). SKILL.md tells the user to pip install evernote3, thrift, html2text; that is expected and low-risk compared to arbitrary downloads. Because installation is manual, risk is limited to what the Python runtime and packages do at execution time (no remote executable downloads in the manifest).

Credentials

The code requires an Evernote developer token (EVERNOTE_TOKEN) and optionally EVERNOTE_NOTESTORE_URL via a .env file, but the registry metadata lists no required env vars or primary credential — this mismatch is significant. The scripts read that token from disk (not from process env) and then use it as an Authorization Bearer header to call the NoteStore. Additional concerns: scripts log/print token snippets (and in one case the token is printed to stdout), and the sync writes data to a default local vault path that may overwrite or expose local files. All requested environment/credential access should be declared explicitly in metadata — here it is not.

✓

Persistence & Privilege

The skill does not request 'always:true' and does not modify other skills or global agent settings. It can be invoked by the agent (normal default), and the scripts persist state only to local files (a .sync_state.json and the target Obsidian vault). No elevated platform privileges are requested in the manifest.

What to consider before installing

What to consider before installing: - Credential handling: this skill requires an Evernote developer token (EVERNOTE_TOKEN) and a NoteStore URL (EVERNOTE_NOTESTORE_URL) provided via a .env file — but the registry metadata does not declare them. Treat that as a red flag: confirm you have only the minimal token you trust and that the .env file doesn't contain other secrets. - Log leakage: several scripts print token fragments (and list_tags.py prints the token variable). These outputs can appear in logs or consoles and may leak credentials — remove or redact those prints before use. - Hard-coded behaviors: sync_to_obsidian.py writes to a hard-coded VAULT_PATH (C:\Users\adun\Documents\印象笔记同步) and get_note_enml.py contains a hard-coded TARGET_GUID and writes its content to scripts/note_enml_output.xml. Update these defaults to safe, user-controlled values or run the scripts in a sandbox until you confirm the paths are appropriate. - File I/O & data exposure: the sync will write notes and attachments to your local filesystem; if you run it in a directory containing other sensitive files, it may read/write state nearby (.env lookup traverses up). Place the skill in an isolated workspace or ensure .env contains only Evernote credentials for this skill. - Autonomous invocation: the skill can be invoked by the agent (normal default). If you are concerned about automated access to your Evernote data, disable autonomous invocation or require manual confirmation before running scripts. - Recommended actions before use: (1) inspect and remove the get_note_enml.py hard-coded GUID or only run it after review; (2) change/remove token-printing lines; (3) set VAULT_PATH to a directory you control; (4) supply a scoped developer token (least privilege) and not a broad production token; (5) run first in a disposable environment to verify behavior. If you want, I can: (a) list the exact lines that print token or reference the hard-coded GUID/path to help you patch them, or (b) produce a safe checklist/patch set to sanitize the scripts prior to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rk3zhfr0hqj556jwv1t2sx838b3d

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

yinxiang-notes

License

Comments