Back to skill

Security audit

SiYuan Note

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SiYuan note-management skill, but it exposes broad raw database, file, and network proxy powers that deserve careful review before installation.

Install only if you intend to give the agent broad authenticated control over your local SiYuan workspace. Keep config.yaml private, review any SQL, delete, move, export, file, Pandoc, or proxy request before allowing it, and avoid using the network proxy unless you explicitly trust the destination and payload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and documents network, file read, and file write capabilities but declares no permissions, which prevents users and any permission-gating system from understanding the real blast radius. In this context the skill can access local notes, manipulate workspace files, and make network requests through SiYuan, so the missing declaration materially increases the risk of unauthorized data access or modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is note management, but the documented behavior extends to arbitrary SQL execution, generic file operations, Pandoc conversion, template rendering, UI messaging, exports, and generic HTTP proxying. This mismatch can mislead users into trusting a narrower capability set than the skill actually exposes, increasing the chance of data loss, data exfiltration, or abuse of the local SiYuan API surface.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The API exposes a generic forward-proxy primitive that can send caller-controlled requests, headers, payloads, and encodings to arbitrary URLs. In an agent skill context, this materially expands the trust boundary beyond note management and can be abused for SSRF-style access, data exfiltration, or relaying authenticated requests through the local app.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The API permits execution of arbitrary SQL statements via a raw stmt parameter, which exceeds ordinary notebook/document management needs and exposes internal data structures directly. If an agent can invoke this, it may read or manipulate broad application data, bypass safer higher-level APIs, and potentially corrupt or expose sensitive content.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The documented Pandoc conversion capability accepts caller-supplied command-style arguments, giving agents a powerful file-processing interface beyond normal note editing. Even if intended for document conversion, argument-driven tooling can expose risky file access patterns, unexpected parser behavior, or invocation of dangerous Pandoc features depending on runtime configuration.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A generic HTTP forwarding/proxy feature is not necessary for ordinary notebook management and can be used to relay requests to arbitrary destinations through the trusted local SiYuan service. That creates an exfiltration and SSRF-like risk path, especially if note contents, tokens, or local data can be forwarded off-host.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The safety section says queries are read-only by default, yet the SQL interface documents arbitrary query execution without enforced read-only controls. This kind of misleading safety claim can cause users to run dangerous queries under false assumptions, potentially corrupting or deleting note database content.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The client exposes a generic HTTP forwarding primitive that can send arbitrary requests to attacker-chosen URLs through the SiYuan backend. In an agent skill context, this materially expands the trust boundary from note management to unrestricted network access, enabling SSRF-style access to internal services, data exfiltration, and use of privileged local network reachability the agent may not otherwise have.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The query_sql method accepts arbitrary SQL statements and forwards them directly to the SiYuan database API, despite only a docstring warning that read-only queries are recommended. In a skill exposed to an agent, this grants broad low-level access that can bypass safer application-layer operations, potentially reading sensitive data, corrupting content, or abusing database features beyond intended notebook management.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The file-management methods expose direct workspace file read/write/remove/rename behavior outside higher-level notebook/document abstractions. In an agent setting, this increases risk of unauthorized file access, overwriting or deleting workspace data, and interacting with internal application files that may contain secrets, configuration, or structured content not intended for routine skill operations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The export workflow mutates application state by automatically opening a notebook that was previously closed. For a tool whose expected behavior is read/export only, this side effect can violate user expectations, alter privacy or synchronization state, and leave the workspace in a different condition after execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool is presented as a note-search utility, but it exposes a raw SQL mode that forwards arbitrary user-supplied statements directly to `client.query_sql`. In an agent or skill context, this expands the capability from simple search to unrestricted database querying, which can enable unauthorized data access and potentially destructive operations if the backend permits write statements.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header and usage text describe the script as searching notes, but the implementation also supports executing arbitrary SQL through the `--sql` flag. This mismatch is dangerous because users, calling code, or higher-level agents may trust the tool as a limited search interface while it actually grants much broader database access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file APIs allow arbitrary write, delete, and rename operations within the workspace with no documented guardrails, confirmation guidance, or narrowing to note-specific paths. In an agent setting, this creates a strong risk of destructive modification of user content, configuration, exports, and other workspace artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The network forwarding API lets callers provide arbitrary URLs, headers, payloads, and encodings without any privacy or security warning. This is dangerous because an agent could transmit user data to third parties, replay cookies or tokens, or probe internal services while appearing to act as a normal note-management integration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill prominently exposes remove/delete operations for notebooks and documents without clear warnings about irreversibility, backup expectations, or confirmation requirements. In a note-management context these operations can directly destroy user data, and the surrounding documentation may normalize their use without enough caution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation tells users to paste an API token into a local config file but does not warn that the token is sensitive, should be protected by file permissions, and must not be committed or shared. Because the token grants access to the local SiYuan API, exposure could allow unauthorized reading or modification of notes and files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy method allows arbitrary outbound requests with caller-supplied headers and payloads and provides no built-in user-facing warning, consent gate, or destination restrictions. That makes it easy for an agent workflow to silently transmit notebook content, tokens, local file data, or other sensitive context to third parties without clear authorization.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The code builds a SQL query by directly interpolating the user-supplied notebook_id into the WHERE clause. If notebook_id contains quotes or SQL syntax, an attacker could alter the query to read unintended documents or metadata beyond the selected notebook. In this skill context, the function is explicitly intended to list notes, so the data-access surface makes the injection more meaningful rather than purely theoretical.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The path-based move operation performs a destructive state change without any user confirmation, unlike the ID-based move paths that explicitly prompt before proceeding. In a note-management skill, this increases the risk of accidental or unintended bulk relocation of documents, especially when paths are supplied programmatically or by an upstream agent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `search_by_sql` path accepts any SQL statement and executes it without warning, validation, or restrictions. In the skill context this is more dangerous because an agent may expose the feature to untrusted prompts or users, allowing data exfiltration, schema discovery, or destructive modification if the SiYuan backend accepts non-read-only SQL.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Forward HTTP request through SiYuan proxy
response = client.forward_proxy(
    url="https://api.example.com/data",
    method="GET",
    headers=[{"Authorization": "Bearer token"}]
)
Confidence
87% confidence
Finding
https://api.example.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
config.example.yaml:10