ClawHub
Back to skill

Security audit

LinkMind Capture

Security checks across malware telemetry and agentic risk

Overview

LinkMind appears to be a real capture-to-Obsidian skill, but it needs Review because it uses session cookies, debuggable browser automation with anti-detection behavior, and cloud transcription with limited per-run consent.

Install only if you are comfortable letting the skill write into your Obsidian vault, download social media assets, use platform cookies, drive a local Chrome session, and send media to configured ASR services. Prefer a dedicated or low-privilege social account, avoid storing broad session cookies, review .env before use, and be aware that the Xiaohongshu path uses anti-bot evasion that may conflict with platform rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares only tool access but clearly instructs shell execution of networked commands, use of environment-stored secrets, and external downloads/transcription. This mismatch reduces user and platform visibility into the real trust boundary, making consent and policy enforcement weaker and increasing the chance that sensitive operations occur without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose understates several materially sensitive behaviors: credential collection, possible browser/session reuse, external media retrieval, and third-party ASR processing. When a skill's description omits these behaviors, users may authorize it for simple note capture without realizing it can access cookies, send content to external services, or control local browser state.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code deliberately injects a stealth script to hide browser automation indicators and later simulates human mouse movement to bypass Xiaohongshu anti-bot checks. That behavior exceeds normal link-capture needs and can violate user expectations, platform controls, and legal/compliance boundaries while making the tool harder to audit and detect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are common conversational expressions like '帮我保存' and '帮我记录', which can easily appear in unrelated chats. Because the skill can create files, run shell commands, and perform network requests, accidental activation can lead to unintended data capture or filesystem modification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill's headline behavior is writing generated Markdown and attachments into the user's Obsidian vault, but the description does not prominently warn that files and directories will be created or modified. Lack of up-front disclosure weakens informed consent and can surprise users with persistent local changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code launches Chrome with --remote-debugging-port and an isolated temporary profile, then programmatically drives pages and can set cookies and execute JavaScript. Even though it binds checks to 127.0.0.1 and uses a temp profile, enabling unauthenticated CDP access on a local port materially increases attack surface: any local malware or another local process that discovers the port could attach and control the browser session, inspect content, or manipulate authenticated browsing done by this skill. In this skill context, which captures social-media content and metadata from user links, this is more sensitive because the browser may handle login state, scraped private content, or user-provided cookies.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code uploads user-provided audio content to third-party transcription providers (iFlytek and optionally OpenAI) but this file contains no consent gate, warning, or policy enforcement before transmission. In a link-capture skill that may process private social media audio, silent external transmission creates a real privacy and compliance risk even if the implementation is otherwise expected.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The function fetches arbitrary remote media URLs and writes the response to a local temporary file before processing. While this is part of the skill's purpose, accepting arbitrary URLs without validation or user-facing warning increases risk of unexpected downloads, local resource exhaustion, or retrieval of sensitive/internal targets if upstream input is attacker-controlled.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
At this point in execution, the handler conditionally loads user-supplied cookies into a browser session and combines that with previously configured stealth automation, yet there is no explicit consent or warning in the skill flow. This creates a transparency and privacy risk because the skill can act as the user on a logged-in session against a third-party service without clear disclosure.

Credential Access

High
Category
Privilege Escalation
Content
- `.env` 中已配置 ASR 服务(讯飞或 OpenAI)

若条件不满足(ASR 未配置),跳过此步骤,在 Step 3 中提示:
"⚠️ 平台字幕不可用,ASR 服务未配置,无法转写音频。请在 .env 中配置 ASR 凭据。"

**执行步骤:**
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
**Skip conditions (do NOT run the script):**
- `videoUrl` is `null` → no video to transcribe
- `.env` has no ASR variables configured → ASR not configured;
  inform the user: "视频转写需要配置 ASR 服务(科大讯飞或 OpenAI Whisper),请在 .env 中配置。参考 .env.example。"

**Multilingual transcripts:** If `fullText` is in a non-Chinese language, translate
and present the key points in Chinese when writing the deep summary. The SRT file
Confidence
89% confidence
Finding
.env

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal