ClawHub

Zettelkasten CN

Security checks across malware telemetry and agentic risk

Overview

This is a local note-management skill, but its undo history can be used to move or overwrite files outside the intended notes folder if that history is tampered with or misused.

Review before installing if you will run this through an agent with broad filesystem access. Use a dedicated cards directory, keep backups, avoid running undo after manually editing operation history, and do not expose ZETTELKASTEN_SKILL_DIR to untrusted values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tainted flow: 'cmd' from os.environ.get (line 145, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
cmd.extend(["--memory", memory_date])
    
    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
83% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, cwd=str(SKILL_DIR) )

Tainted flow: 'cmd' from os.environ.get (line 145, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 执行命令
        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
85% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, cwd=str(SKILL_DIR) )

Tainted flow: 'cmd' from os.environ.get (line 223, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"path": self.result["path"]
                    }, ensure_ascii=False)
                ]
                subprocess.run(cmd, capture_output=True, cwd=str(SKILL_DIR))
        except:
            pass  # 记录失败不影响主流程
Confidence
82% confidence
Finding
subprocess.run(cmd, capture_output=True, cwd=str(SKILL_DIR))

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes file read/write, shell execution, and environment access capabilities but does not declare any permissions or safety boundaries. This creates a transparency and consent failure: an agent or user may invoke destructive filesystem or shell-backed actions without understanding the operational scope, especially given the documented create/delete/undo flows over a Desktop path.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior does not fully match the declared purpose, including undeclared conversion, trash/archive handling, and overstated 'bidirectional' memory integration. Behavior mismatches are dangerous because reviewers and users make trust decisions based on the declared scope; hidden or overstated functionality can mask destructive file movement or data-retention behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The undo logic trusts file paths stored in operation details and performs shutil.move and file writes on them without verifying they remain under the intended card store or trash directory. If an attacker can inject or tamper with history entries, they can cause restore, delete, or overwrite operations on arbitrary filesystem paths, leading to unauthorized file modification or relocation outside the application workspace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents deletion and history-clearing commands without explicit warning, dry-run guidance, or confirmation safeguards. In a filesystem-managing skill with shell execution and persistent state, omission of destructive-operation warnings materially increases the risk of accidental data loss and makes unsafe invocation more likely.

Session Persistence

Medium
Category
Rogue Agent
Content
cd /path/to/zettelkasten

# 创建笔记
python3 scripts/card_manager.py create fleeting "闪念标题" --content "内容"
python3 scripts/card_manager.py create permanent "笔记标题" --category 学习

# 查询
Confidence
71% confidence
Finding
create fleeting "闪念标题" --content "内容" python3 scripts/card_manager.py create permanent "笔记标题" --category 学习 # 查询 python3 scripts/card_manager.py list --type permanent python3 scripts/card_manager.py

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal