Notebook
ReviewAudited by ClawScan on May 10, 2026.
Overview
Notebook appears to be a local-only notes tool, but its file-path handling is not tightly bounded, so a malformed type name could write notebook files outside the intended folder.
Review before installing. If you use it, stick to simple type names like letters, numbers, hyphens, or underscores, avoid storing secrets, and keep backups of the local notebook folder. The skill should be safer if it adds strict path validation and clearer Node/install metadata.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or agent-generated type name could place notebook files in unintended workspace locations, creating local file clutter or affecting files outside the notebook data area.
The notebook type name is used directly in filesystem paths without validation or a resolved-path containment check. A type name containing path traversal such as '../' could make the skill create or delete YAML object files outside the intended notebook objects directory.
function getObjectPath(type, id) {
const typeDir = path.join(OBJECTS_DIR, type);
if (!fs.existsSync(typeDir)) fs.mkdirSync(typeDir, { recursive: true });
return path.join(typeDir, `${id}.yaml`);
}Reject type names containing path separators, absolute paths, or '..'; resolve the final path and ensure it remains under the notebook objects directory before creating, reading, updating, or deleting files.
Users have less information about where the code came from and what runtime setup is expected.
The skill includes runnable JavaScript code and dependencies, but the registry metadata does not provide a source/homepage or install requirements. The included lockfile reduces dependency ambiguity, but users still have limited provenance context.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill. ... Code file presence: 2 code file(s): cli.js, lib/store.js
Publish a source repository/homepage and declare Node/package requirements or an install/run spec so users can verify provenance and setup expectations.
Anything saved in the notebook may persist across sessions and could influence future agent work if retrieved.
The skill persistently stores user-defined notebook objects and an index on disk. This is expected for a personal knowledge base, but the stored content can later be searched, expanded, or reused by the agent.
fs.writeFileSync(filePath, yaml.dump(object)); ... fs.writeFileSync(INDEX_FILE, JSON.stringify(index, null, 2));
Avoid storing secrets unless you intend them to persist locally, and periodically review or back up the notebook data directory.