ClawHub

yinxiang-notes

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a Yinxiang/Evernote notes integration, but it exposes sensitive account access in ways users should review before installing.

Install only if you trust the publisher with broad access to your Yinxiang/Evernote account. Before using it, remove or avoid scripts/get_note_enml.py, do not share terminal logs from these scripts, verify the Obsidian sync path, keep .env out of version control, and run empty_trash.py only when you intentionally want irreversible deletion of all trashed notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
A description-behavior mismatch is security-relevant because it can conceal sensitive operations from users and reviewers. In this case, undocumented behaviors such as downloading a fixed GUID note to local XML and printing Developer Token or environment configuration to the console can expose secrets and data outside the user's expected scope, which is especially risky for a note-taking integration handling private content.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script prints the first 25 characters of the Developer Token to the console, unnecessarily exposing sensitive authentication material during normal operation. Even partial secret disclosure can aid token recovery, leak into shell history/log aggregation/CI logs, and violates the principle of minimizing credential exposure.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script walks up to a workspace-level .env file, extracts EVERNOTE_TOKEN and EVERNOTE_NOTESTORE_URL, and prints part of the token and environment details to stdout. Exposing even partial credentials and broadening credential access beyond the skill directory creates unnecessary secret exposure risk through logs, terminal history, CI output, or shared execution environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes syncing notes into a local Obsidian vault and permanently emptying trash, but it does not clearly warn users that these actions modify local files and can irreversibly delete data. In an agent skill context, insufficient warning around destructive or state-changing operations increases the risk of accidental data loss, especially if invoked by automation or a user who assumes the actions are read-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Showing a realistic-looking Developer Token format in documentation normalizes secret placement in plaintext and increases the chance that users paste real credentials into tracked files or shared screenshots. Because this skill relies on a high-privilege token for note access and modification, accidental disclosure could allow unauthorized reading, editing, deletion, or syncing of private notes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the Evernote developer token prefix to stdout during normal operation. Even partial credential disclosure is sensitive because logs, terminal history, or captured output may be accessible to other users or systems and can aid credential identification or mishandling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code accesses credentials and prepares authenticated network communication without any validation, masking, consent boundary, or operational safeguards, while also printing sensitive configuration context. In a skill ecosystem, this increases the chance that secrets are used or exposed unexpectedly when the script is run for a seemingly simple listing action.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the first 25 characters of the Evernote access token to stdout during normal execution. Even partial credential disclosure materially increases the risk of secret exposure through terminal history, logs, screenshots, CI output, or shared support transcripts, especially because token prefixes can aid correlation and partial reconstruction.

Ssd 3

Medium
Confidence
97% confidence
Finding
Displaying a masked-but-substantial portion of a bearer token in routine status messages leaks sensitive credential material. In this skill context, the token grants access to notes and metadata, so any credential exposure is more concerning because the script handles personal content and may be run in logged or shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal