ClawHub

记一下

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate note-taking skill, but it needs review because it can persist sensitive messages and relies on an unreviewed missing command-line tool.

Install only after confirming which just-note executable will run and limiting message routing to content you intentionally want saved. Treat all recorded notes as persistent local files, avoid storing secrets or sensitive financial/work data unless you have appropriate protections, and look for deletion/retention controls before using WeChat or Feishu capture.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The changelog states that message-mode AI integration is still pending, while the skill metadata claims automatic invocation on any user message. This mismatch can mislead users and operators about what data is actually being captured or processed, causing unsafe assumptions about automation, coverage, and privacy boundaries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The known-issues section explicitly says automatic WeChat/Feishu message recording is unavailable, directly contradicting the skill's stated trigger behavior. In a messaging-triggered note-taking skill, this kind of deployment-state inconsistency is security-relevant because users may send sensitive content believing it will be handled one way while the system behaves another way or not at all.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly documents sending user message content to an external LLM for classification, while presenting itself primarily as a frictionless local note-taking system. This creates a data disclosure risk because sensitive personal notes, diary entries, finances, and tasks may be transmitted to a third-party model service without clear, prominent disclosure or consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The report and metadata create a misleading impression that WeChat/Feishu message input is supported, while the document itself says this integration still needs real testing. In a note-taking skill that may ingest personal messages, overstating readiness can cause users or operators to enable a workflow that has not been validated for correctness, safety, or privacy handling.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill description promises automatic tagging and association, but the test report states that intelligent association is not implemented. This is a deceptive capability claim rather than code execution risk, but it can still mislead users into trusting automation that does not exist, affecting data organization and downstream decisions based on assumed note linkage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The handler is explicitly designed to automatically persist arbitrary user messages from WeChat/Feishu via CLI, but the document contains no consent flow, sensitivity filtering, retention guidance, or warning that personal/financial/diary content will be stored. In this context the skill processes highly privacy-sensitive data by default, so silent automatic saving increases the risk of over-collection, accidental retention of secrets, and non-compliant handling of personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly plans WeChat/Feishu message ingestion for a note-taking skill that stores personal thoughts, diary entries, tasks, and financial records, but it provides no privacy notice, consent model, retention policy, or data-handling safeguards. In this context, message ingestion materially increases the risk of collecting sensitive personal data without clear boundaries, which can lead to unintended disclosure, over-collection, or insecure downstream storage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example explicitly shows user-submitted freeform content being persisted to /memory files, including diary-style notes, ideas, and knowledge snippets, but provides no warning that this data is stored long-term and may contain sensitive personal information. Because the skill is triggered automatically when a user sends anything they want to record, users may reasonably disclose private content without understanding the retention and privacy implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These examples normalize capturing financial, work, and business information such as expenses, salary, revenue, and product planning into persistent note files without warning that such records may expose sensitive personal or organizational data. In this skill's context—frictionless message-based capture with AI classification—the ease of input increases the chance that users will store confidential information unintentionally.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README says the skill is triggered by simply sending any content to be recorded, but it does not define clear activation boundaries, exclusions, or confirmation behavior. In a message-driven environment, this can cause overbroad collection and unintended persistence of casual, sensitive, or unrelated user messages, especially because the skill auto-classifies and writes content via CLI.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explains that messages are understood, classified, and then written by the CLI, but it does not clearly warn users that message-mode input will be stored in files or persistent storage. This is dangerous because users may treat chat-like input as ephemeral and unknowingly disclose personal, financial, or diary data that the skill retains and organizes long-term.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger condition says the skill auto-runs whenever the user sends anything they want to record, and the surrounding workflow suggests broad interception of chat messages from WeChat/Feishu. In practice, such a loose trigger can capture ordinary conversation, sensitive disclosures, or unintended content, leading to unauthorized retention and downstream processing.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to automatically ingest and store raw messages from chat platforms, including highly sensitive categories like diary entries, finances, and tasks, but the documentation lacks strong privacy warnings and consent language. That makes accidental collection and long-term storage of private data much more likely, especially in a low-friction auto-capture design.

Missing User Warnings

High
Confidence
98% confidence
Finding
The implementation section shows that user content is sent to an LLM service for processing, yet the skill does not warn users that their messages leave local storage boundaries and are transmitted to a model provider. Given the types of data involved, this omission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document discusses automatic handling of WeChat/Feishu messages but gives no warning about privacy, consent, retention, or data-sharing implications. Because this skill’s purpose is to capture arbitrary user messages, the context makes this more dangerous: users may submit sensitive personal, financial, diary, or work content without understanding where it is stored or processed.

Ssd 3

Medium
Confidence
94% confidence
Finding
The note format explicitly stores the user's raw message content and then uses it in aggregated daily/weekly summaries. This creates a durable plain-text retention channel that can expose sensitive information through later views, exports, searches, or summaries beyond the user's original intent.

Ssd 3

Medium
Confidence
95% confidence
Finding
The trigger and workflow indicate that essentially any qualifying chat message may be recorded and retained, which risks indiscriminate collection of private data without contextual checks. In a messaging context, users often mix casual chat with sensitive or confidential information, making this especially dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal