Back to skill

Security audit

WizNote

Security checks across malware telemetry and agentic risk

Overview

This WizNote connector mostly matches its stated purpose, but it exposes account credentials in documentation and gives broad note-modifying and network-fetching authority with weak guardrails.

Install only if you trust the publisher and need broad WizNote account automation. Replace any example credentials with your own safely stored secrets, rotate any exposed password if it was real, restrict the configured WizNote server to a trusted HTTPS endpoint, and treat delete, share, upload, URL-import, and attachment-download actions as sensitive operations that should be explicitly confirmed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (33)

Tainted flow: 'url' from requests.post (line 555, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def _get(self, path, params=None):
        """GET 请求封装"""
        url = f'{self.kb_server}{path}'
        resp = requests.get(url, params=params or {}, headers=self._headers())
        return self._parse_response(resp)

    def _post(self, path, data=None, params=None):
Confidence
90% confidence
Finding
resp = requests.get(url, params=params or {}, headers=self._headers())

Tainted flow: 'url' from requests.post (line 555, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
def _post(self, path, data=None, params=None):
        """POST 请求封装"""
        url = f'{self.kb_server}{path}'
        resp = requests.post(url, params=params or {}, json=data or {}, headers=self._headers())
        return self._parse_response(resp)

    def _put(self, path, data=None, params=None):
Confidence
93% confidence
Finding
resp = requests.post(url, params=params or {}, json=data or {}, headers=self._headers())

Tainted flow: 'url' from requests.post (line 555, network input) → requests.put (network output)

Medium
Category
Data Flow
Content
def _put(self, path, data=None, params=None):
        """PUT 请求封装"""
        url = f'{self.kb_server}{path}'
        resp = requests.put(url, params=params or {}, json=data or {}, headers=self._headers())
        return self._parse_response(resp)

    def _delete(self, path, params=None):
Confidence
93% confidence
Finding
resp = requests.put(url, params=params or {}, json=data or {}, headers=self._headers())

Tainted flow: 'url' from requests.post (line 555, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
'title': title,
            'type': 'collaboration',
        }
        resp = requests.post(url, params=params, json=data, headers={
            'X-Wiz-Token': self.token, 'content-type': 'application/json'
        })
        result = resp.json()
Confidence
92% confidence
Finding
resp = requests.post(url, params=params, json=data, headers={ 'X-Wiz-Token': self.token, 'content-type': 'application/json' })

Tainted flow: 'url' from requests.post (line 555, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def download_attachment(self, doc_guid, att_guid):
        url = f'{self.kb_server}/ks/attachment/download/{self.kb_guid}/{doc_guid}/{att_guid}'
        timeout = (self.ATTACHMENT_CONNECT_TIMEOUT_S, self.ATTACHMENT_READ_TIMEOUT_S)
        resp = requests.get(url, params={'clientType': 'web', 'clientVersion': '4.0'},
                            headers={'X-Wiz-Token': self.token}, stream=True, timeout=timeout)
        if resp.status_code != 200:
            raise Exception(f'下载附件失败: HTTP {resp.status_code}')
Confidence
88% confidence
Finding
resp = requests.get(url, params={'clientType': 'web', 'clientVersion': '4.0'}, headers={'X-Wiz-Token': self.token}, stream=True, timeout=timeout)

Tainted flow: 'url' from requests.post (line 555, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
'cookie': f'x-live-editor-token={editor_token}',
            'user-agent': 'Mozilla/5.0'
        }
        resp = requests.get(url, headers=headers, stream=True, timeout=timeout)
        if resp.status_code != 200:
            raise Exception(f'下载协作资源失败: HTTP {resp.status_code}')
        return resp.content
Confidence
86% confidence
Finding
resp = requests.get(url, headers=headers, stream=True, timeout=timeout)

Tainted flow: 'url' from requests.post (line 555, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
name = name or os.path.basename(file_path)
        url = f'{self.kb_server}/ks/attachment/upload/{self.kb_guid}/{doc_guid}'
        with open(file_path, 'rb') as f:
            resp = requests.post(
                url,
                files={'file': (name, f)},
                headers={'X-Wiz-Token': self.token},
Confidence
91% confidence
Finding
resp = requests.post( url, files={'file': (name, f)}, headers={'X-Wiz-Token': self.token}, params={'clientType': 'web', 'cli

Tainted flow: 'url' from requests.post (line 555, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
'cookie': f'x-live-editor-token={editor_token}',
            'user-agent': 'Mozilla/5.0'
        }
        resp = requests.get(url, headers=headers, stream=True, timeout=timeout)
        if resp.status_code != 200:
            raise Exception(f'下载协作资源失败: HTTP {resp.status_code}')
        return resp.content
Confidence
84% confidence
Finding
resp = requests.get(url, headers=headers, stream=True, timeout=timeout)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation includes and normalizes use of a plaintext account password in environment configuration, and even shows what appears to be a real credential value. This creates a direct credential exposure risk via source control, logs, screenshots, shell history, or process-environment leakage, and can lead to full account compromise.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The create-note tool accepts an arbitrary user-supplied URL, performs a direct server-side HTTP GET, follows redirects, parses the response, and imports the result into WizNote. This expands the connector from a WizNote API client into a general-purpose network fetcher, creating SSRF-style risk and unintended outbound access to internal or sensitive endpoints if untrusted users can invoke the tool.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger description is extremely broad, activating on general mentions of WizNote/Wiz or any operation related to the product. In an agent setting this can cause accidental invocation of powerful note-modifying, deletion, sharing, or upload actions when the user may only be discussing the tool rather than authorizing operations.

Missing User Warnings

High
Confidence
98% confidence
Finding
Displaying credential fields including a plaintext password without any warning or handling guidance encourages insecure secret management practices. In skill ecosystems, users often copy examples verbatim, so this materially increases the chance of credential leakage and downstream compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive and access-changing operations such as deletion, sharing, and attachment upload without warnings, guardrails, or confirmation requirements. In an automated agent context, omission of these safeguards raises the risk of accidental data loss, oversharing, or uploading sensitive local files to remote services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The server downloads note resources and attachments and writes them to local paths derived from remote metadata such as resource names, without user confirmation. This can unexpectedly persist sensitive data on disk and, because filenames are not sanitized here, may also enable path traversal or overwrite of unintended files if a crafted attachment name contains path separators or traversal sequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool performs outbound requests to arbitrary URLs and silently turns fetched content into notes, without an explicit warning that network access will occur. In an MCP/agent setting, this can surprise users, leak network metadata, and be abused to contact attacker-controlled or internal endpoints under the server's network identity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The wrapper exposes a destructive delete command that immediately deletes a note based solely on a GUID, with no confirmation prompt, dry-run mode, or other guardrail. In an agent-driven context, ambiguous user requests, prompt injection, or parameter mix-ups can cause irreversible data loss much more easily than in a purely manual CLI workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Deleting a category is also a destructive action, and the wrapper performs it immediately without any user-facing warning or confirmation. Depending on backend behavior, this can cause loss of organization or affect many notes at once, making the absence of a safety check particularly risky in an automated skill.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
websocket-client
python-dotenv
html2text
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
websocket-client
python-dotenv
html2text
bs4
Confidence
95% confidence
Finding
websocket-client

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
websocket-client
python-dotenv
html2text
bs4
certifi
Confidence
94% confidence
Finding
python-dotenv

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
websocket-client
python-dotenv
html2text
bs4
certifi
trafilatura
Confidence
93% confidence
Finding
html2text

Unpinned Dependencies

Low
Category
Supply Chain
Content
websocket-client
python-dotenv
html2text
bs4
certifi
trafilatura
markdown
Confidence
93% confidence
Finding
bs4

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv
html2text
bs4
certifi
trafilatura
markdown
pypdf
Confidence
94% confidence
Finding
certifi

Unpinned Dependencies

Low
Category
Supply Chain
Content
html2text
bs4
certifi
trafilatura
markdown
pypdf
pytesseract
Confidence
94% confidence
Finding
trafilatura

Unpinned Dependencies

Low
Category
Supply Chain
Content
bs4
certifi
trafilatura
markdown
pypdf
pytesseract
pillow
Confidence
95% confidence
Finding
markdown

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.