siyuan-llm-wiki

Security checks across malware telemetry and agentic risk

Overview

This is a coherent SiYuan knowledge-base helper, but it gives an agent broad write access to notes and can save conversation content without clear per-write consent.

Review carefully before installing. Use a dedicated SiYuan notebook, make a backup or snapshot first, provide the token through an environment variable or secret store instead of chat, and require the agent to preview and confirm every create/update/archive action. Avoid auto-archiving conversations that may contain private, confidential, or credential-like information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to persist information derived from ordinary user conversations into the wiki, even outside ingestion of user-supplied source materials. This creates an unauthorized memory/data-retention channel where transient chat content may be stored permanently without a clear, specific opt-in for each write, increasing privacy and confidentiality risk.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The template instructs the agent to populate the '个人批注' section during Source creation, but later guidance says that section is user-owned and must not be auto-modified. This contradiction can cause the agent to write into a user-reserved field, potentially overwriting expectations around ownership and unintentionally storing model-generated or user-derived content in a sensitive section.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells the user to paste a live Siyuan API token directly into the prompt given to an AI agent. That creates a strong risk of credential exposure through model context, conversation history, logs, telemetry, screenshots, or downstream tool output, enabling unauthorized modification of the user's notes if the token is reused.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that the agent will automatically initialize and update the knowledge base without clearly warning that it will modify persistent notebook data. In context, this can lead to silent or unexpected writes, corruption of notes, and user loss of control over stored knowledge, especially if the agent misinterprets instructions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill describes automatic write-back after each conversation without requiring an explicit warning that content may be permanently stored. Users may reasonably assume chat content is ephemeral, so silently persisting discussion artifacts into the wiki can expose sensitive information later through search, linking, or future retrieval.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The memory write-back flow stores the user's original question verbatim in a synthesis document, but the skill does not require a privacy warning or consent check before doing so. Original questions can contain sensitive personal, business, or credential-adjacent information, so retaining them in documents materially increases exposure and discoverability risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: In --auto mode, the script can persist the user's question and the full AI answer to the Siyuan API without an explicit confirmation or privacy notice at the point of write. That creates a real privacy and consent risk because potentially sensitive conversation content is automatically transmitted and stored when heuristic conditions match.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Instructing users to place a live API token inside the prompt is a direct credential-handling vulnerability because secrets become part of the model-visible conversation. This is more dangerous here because the token authorizes write operations over a local knowledge base, so exposure can lead to unauthorized reads, modifications, or destructive actions through the Siyuan API.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The workflow instructs the agent to persist user-provided conversation content and original questions into the wiki and log, creating a natural-language data retention risk. Once stored, sensitive details can propagate through indexes, backlinks, logs, and later queries, expanding the blast radius beyond the original interaction.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The script's core behavior is to archive full user questions and AI answers into persistent wiki pages and logs, which creates a straightforward data-retention and information-disclosure path. If conversations contain secrets, personal data, internal URLs, or credentials, those may be stored long-term in plain language and become accessible to anyone with access to the wiki or backups.

Ssd 3

Medium

Confidence: 95% confidence
Finding: create_synthesis embeds the original question and full answer verbatim into markdown content sent to the wiki backend. This is dangerous because it operationalizes persistent storage of potentially sensitive user-provided or model-generated content, increasing exposure through indexing, search, sync, sharing, and backup systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal