Back to skill

Security audit

Yinxiang Skill 1.0.4

Security checks across malware telemetry and agentic risk

Overview

The skill matches its note-taking purpose, but it asks users to paste an account token into chat and stores that credential locally while enabling note reading and modification.

Review before installing. Use this only if you are comfortable giving the skill access to create, search, retrieve, and modify your Yinxiang/Evernote notes. Treat the token like a password, avoid pasting it into shared chats, revoke or rotate it if exposed, and be careful with generic requests like “记一下” because they may save content to your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to execute shell and PowerShell commands, write files, and invoke local scripts, yet no declared permissions are present. That mismatch weakens the platform’s security boundary because users and orchestrators may not realize the skill can run code and touch local state.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The note-creation triggers are generic phrases like '记一下' and '帮我记录', which are common in ordinary chat and can cause unintended note creation. Because the skill writes to a third-party account and may persist sensitive conversation content, accidental triggering can create privacy and data-integrity issues.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The note-creation triggers are generic phrases like '记一下' and '帮我记录', which are common in ordinary chat and can cause unintended note creation. Because the skill writes to a third-party account and may persist sensitive conversation content, accidental triggering can create privacy and data-integrity issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authorization flow tells the user to paste a full access token into chat but does not clearly warn that the token is a sensitive credential equivalent to account access. Tokens sent through chat may be logged, retained, or exposed to other components, creating a direct credential-compromise risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs the agent to read authentication tokens from local files or environment variables and make real outbound API calls that can create, update, search, and retrieve note content. It also explicitly tells the agent to generate temporary scripts and execute them if bundled scripts are unsuitable, which expands the attack surface and can cause silent exfiltration of credentials and user data without an explicit user-facing consent or warning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits user-supplied note title and content to a remote Evernote/Yinxiang API endpoint, which is an intentional feature but still creates a privacy and data-exfiltration risk if users are not clearly informed that their content leaves the local environment. In this skill context, users may provide sensitive notes, so the lack of an explicit disclosure or consent step increases the chance of unintended exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists a supplied Evernote token to disk in a predictable location without any warning, consent prompt, or indication of how sensitive credentials are handled. In the context of a note-taking skill that performs account authorization, silent credential persistence increases the risk of token exposure through local compromise, backups, sync tools, or other processes reading the file.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script persists a bearer-style authentication token to a predictable file under the user's home directory. Although it sets restrictive permissions afterward, storing long-lived credentials on disk increases exposure to local compromise, backups, shell history mistakes, or accidental disclosure, especially because the script does not warn users about these handling risks.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs the assistant to ask for the full Evernote token in chat and then persist it locally in configuration files. This combines two risky behaviors—credential collection through conversational channels and long-term local storage—making theft, reuse, and accidental disclosure substantially more likely.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "用法: $0 <笔记GUID>"
  exit 1
fi
curl -s -X POST \
  "https://app.yinxiang.com/third/ai-chat-note/grpc-api/search/getNoteDetail" \
  -H "Content-Type: application/json" \
  -H "auth: $TOKEN" \
Confidence
78% confidence
Finding
curl -s -X POST \ "https://app.yinxiang.com/third/ai-chat-note/grpc-api/search/getNoteDetail" \ -H "Content-Type: application/json" \ -H "auth: $TOKEN" \ -d

Session Persistence

Medium
Category
Rogue Agent
Content
echo "Token 是以 S=s 开头的字符串,从 https://app.yinxiang.com/third/skills-oauth/ 获取"
  exit 1
fi
mkdir -p ~/.config/yinxiang-skill
echo "$TOKEN" > ~/.config/yinxiang-skill/token
chmod 600 ~/.config/yinxiang-skill/token
echo "Token 已保存到 ~/.config/yinxiang-skill/token"
Confidence
86% confidence
Finding
mkdir -p ~/.config/yinxiang-skill echo "$TOKEN" > ~/.config/yinxiang-skill/token chmod 600 ~/.config/yinxiang-skill/token echo "Token 已保存到 ~/.config

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.