ClawHub

Youdao Note Web

Security checks across malware telemetry and agentic risk

Overview

This skill is built for Youdao note access, but it needs review because it uses a full browser session cookie and can bulk-read private folders without strong confirmation safeguards.

Install only in a trusted local environment. Treat YOUDAO_COOKIE like a password for your Youdao account, avoid broad folders unless you intend every note in that folder to enter the agent context, preview any create action, and remove or rotate the cookie after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill uses sensitive capabilities (environment variables and network access) to operate on a user’s cloud notes account, but it does not declare permissions or boundaries for that access. This weakens user consent and oversight, making it easier for an agent to access account data in ways the manifest does not transparently communicate.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest claims a narrower, safer capability set than the documentation actually describes, including bulk folder reads, listing, image metadata extraction, and direct use of browser cookies to impersonate a logged-in web session. This mismatch is dangerous because users and orchestrators may authorize the skill under false assumptions while it can access substantially more data than advertised.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest omits the documented read_all capability, which enables collection of every note in a folder rather than targeted single-note access. Hidden bulk-access functionality increases the risk of over-collection of sensitive personal or business data without sufficiently informed consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill relies on a full browser session cookie from the environment, giving it broad account access equivalent to the logged-in user. In an agent setting, this is dangerous because compromise, misconfiguration, logging, or unintended reuse of the environment can expose a long-lived authenticated session and enable unauthorized note access or modification.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The read_all_in_dir function enables bulk collection of every note in a directory, greatly increasing the blast radius of a mistaken or malicious invocation. In an agent context this is more dangerous than single-note access because it facilitates mass exfiltration of personal or sensitive data with one command.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to extract and store a full authenticated browser cookie string, including session-bearing values such as YNOTE_LOGIN and YNOTE_SESS, in an environment variable without any warning about credential sensitivity, scope, or handling risks. Those cookies can function as bearer credentials, so disclosure through shell history, process inspection, logs, crash reports, screenshots, or downstream tooling could allow unauthorized access to the user's Youdao Notes account.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation text is broad enough that the skill could trigger on vague requests involving notes, increasing the chance of unnecessary authenticated access to a user’s account. Overbroad trigger conditions are risky for a skill that can search, read, and bulk-read private note content using session cookies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to read all notes in a folder and perform analysis without an explicit user-facing warning about the scale and sensitivity of the access. In the context of personal cloud notes, this can expose large amounts of private or confidential information far beyond what a user may expect from a simple analysis request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code silently transmits a credential-bearing session cookie to remote endpoints without any user-facing warning, which is risky in an agent environment where the user may not realize their live browser session is being reused. This can lead to surprising account access and raises the chance of sensitive credential misuse or mishandling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill can create remote notes in the user's account without an explicit confirmation step, making unintended state-changing actions possible from ambiguous prompts or agent misbehavior. In a note-management skill, write capability is expected, but lack of confirmation still creates integrity and user-trust risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
brotli
Confidence
96% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
brotli
Confidence
92% confidence
Finding
brotli

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
requests

Known Vulnerable Dependency: brotli — 3 advisory(ies): CVE-2025-6176 (Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli ); CVE-2020-36846 (Integer overflow in the bundled Brotli C library); CVE-2020-36846 (A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an )

High
Category
Supply Chain
Confidence
80% confidence
Finding
brotli

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal