Skillv1.0.0

ClawScan security

siyuan-llm-wiki · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 8:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (drive a Siyuan LLM‑backed wiki) is plausible and most behaviors match that purpose, but there are several inconsistencies and security-relevant issues (undeclared required credentials/env, local file access ambiguity, and unsanitized SQL string building) that warrant caution.
Guidance: What to consider before installing/running this skill: - The skill genuinely integrates with a local Siyuan instance and needs your Siyuan API Token and notebook ID (the registry metadata does not declare these; provide them only if you trust the code). - Review the included Python scripts before running. They call your Siyuan HTTP API and can create/update/delete content. Ensure you are comfortable with that level of access. - The scripts construct SQL statements by interpolating unescaped user strings (e.g., search keywords, titles). This can cause incorrect queries or unintended disclosure of content inside your Siyuan database. If you will run these tools, avoid passing untrusted/unescaped input; consider adding proper escaping/parameterization. - The documentation ambiguously permits reading from a local 'raw/' directory; if you don't want the agent to access arbitrary local files, avoid supplying a local path or running the agent with filesystem access. - Operational checks: run Siyuan backups/snapshots before use; run in a test notebook first; prefer interactive mode (not --auto) until you trust the behavior; create a token with minimal required privileges if Siyuan supports scoped tokens. - Fixes to consider before use: declare required env vars in the skill manifest, add dependency notes (Python + requests), sanitize SQL inputs or use parameterized queries, and ensure index/log lookups match your actual document titles. If you want, I can point to the exact lines that interpolate SQL or suggest minimal code changes to safely escape inputs.

Review Dimensions

Purpose & Capability: concernThe skill is intended to use the Siyuan HTTP API and the code/instructions do require an API token and a notebook ID, but the registry metadata declares no required environment variables or credentials. The included Python scripts assume environment vars (SIYUAN_API, SIYUAN_TOKEN, SIYUAN_NOTEBOOK) and a Python runtime; that mismatch between declared requirements and actual code is an incoherence and increases risk (user may not realize a secret must be provided).
Instruction Scope: concernSKILL.md and agents.md instruct the agent to read materials from a 'raw/' location which may be either a Siyuan folder or 'local directory' — that wording implies possible arbitrary local file reads but the provided scripts themselves only call the Siyuan HTTP API. This ambiguity (instructions allowing local filesystem reads) plus many API/SQL operations that scan/create/update/delete blocks means the agent will have broad read/write access to the user's Siyuan data. Additionally, the docs instruct constructing SQL statements and other operations using user-supplied text without guidance to sanitize/escape inputs.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces supply-chain risk. However two Python scripts are included (siyuan_api.py, siyuan_wiki_archiver.py) that require Python and the 'requests' package; the skill metadata does not declare required binaries or Python deps. There is no external download URL, which is low risk, but the missing dependency declaration is an operational gap.
Credentials: concernThe functionality legitimately requires a Siyuan API token and notebook ID, and the code uses SIYUAN_TOKEN / SIYUAN_NOTEBOOK / SIYUAN_API. Those are proportionate to the stated purpose. However the skill registry lists no required env vars — an inconsistency. Also many SQL and API calls are constructed with direct string interpolation of user-provided titles/keywords, which can lead to accidental query injection or unintended data exposure within the Siyuan instance.
Persistence & Privilege: noteThe skill is not always-on (always:false) and is user-invocable; that's appropriate. It does, however, include functions to create, append, update, and delete blocks via the API. Those write/delete privileges are expected for a wiki-maintenance skill but increase blast radius (the agent can modify or remove user content). There is no indication the skill modifies other skills or system settings.