Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
SiYuan Note
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Install this only if you are comfortable giving the agent full local SiYuan API access. Keep the API token private, point base_url only at your trusted local SiYuan instance, use explicit document/notebook scopes, and review any delete, move, bulk export, or SQL-style request before allowing it. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anyone or any agent process with access to this config can use the token to access and change your SiYuan notes.
Why it was flagged
The skill requires a SiYuan API token and instructs the user to store it in the skill config, giving the client authenticated access to the user's local SiYuan data.
Skill content
API token from SiYuan settings ... token: "your-api-token-here"
Recommendation
Keep config.yaml private, avoid sharing logs or files containing the token, and rotate the token if it may have been exposed.
What this means
A mistaken or over-broad delete request could remove important notes or notebooks.
Why it was flagged
The delete tool supports removing notebooks, documents, and blocks, and includes an option to bypass confirmation. This is expected for a management client but is high-impact.
Skill content
"Delete SiYuan notebooks and documents" ... parser.add_argument('--yes', '-y', action='store_true', help='Skip confirmation')Recommendation
Require explicit user approval before delete operations, avoid using `--yes` unless you are certain, and keep backups of important notebooks.
What this means
If an agent uses attacker-controlled or unverified text as an ID, it could query more data than intended or cause errors.
Why it was flagged
The list tool builds an SQL query using the supplied notebook_id. This is local and purpose-aligned, but raw query construction should not use untrusted text.
Skill content
WHERE box = '{notebook_id}' AND type = 'd'Recommendation
Use notebook IDs obtained from trusted SiYuan API results, and consider validating or parameterizing query inputs.
What this means
Private notes may be exposed to the agent context, and note text should be treated as data rather than instructions.
Why it was flagged
The read tool returns document Markdown content to stdout, meaning private note text can enter the agent conversation or downstream outputs.
Skill content
content = result.get('content', '') ... print(content)Recommendation
Ask the agent to read only the specific documents needed, avoid broad exports unless necessary, and do not let instructions inside notes override your actual request.