Yum NoteBook

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local notebook generator with opt-in external AI, TTS, upload, and chat-delivery features, but users should configure those integrations carefully because they can expose notebook content.

Before installing, review config.yaml and leave ai.provider, upload.provider, notify.webhook_url, and deliver.provider disabled unless you trust the destination. Do not use provider: cli, --fetcher, custom OpenClaw binaries, rclone extra_args, or an onedrive_graph uploader path unless you trust the exact command or file. Disable TTS for confidential notes if you do not want text sent to Microsoft edge-tts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (23)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def complete(self, system: str, user: str) -> str: prompt = f"<system>\n{system}\n</system>\n\n<user>\n{user}\n</user>\n" try: r = subprocess.run(self.cmd, input=prompt, capture_output=True, text=True, encoding="utf-8", timeout=self.timeout) except subprocess.TimeoutExpired as e: raise AIError(f"CLI provider timed out after {self.timeout}s: {e}")
Confidence: 93% confidence
Finding: r = subprocess.run(self.cmd, input=prompt, capture_output=True, text=True, encoding="utf-8", timeout=self.timeout)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if (not html or "<title>" not in html.lower()) and fetcher: try: out = subprocess.run(fetcher.split() + [url], capture_output=True, text=True, encoding="utf-8", timeout=60) if out.returncode == 0 and out.stdout: html = out.stdout except Exception as e:
Confidence: 97% confidence
Finding: out = subprocess.run(fetcher.split() + [url], capture_output=True, text=True, encoding="utf-8", timeout=60)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: with open(list_path, "w", encoding="utf-8") as f: for p in input_files: f.write(f"file '{os.path.abspath(p).replace(chr(39), '_')}'\n") subprocess.run([ _ffmpeg(), "-y", "-f", "concat", "-safe", "0", "-i", list_path, "-codec:a", "libmp3lame", "-b:a", "128k", "-ar", "44100", "-ac", "2", output_mp3,
Confidence: 79% confidence
Finding: subprocess.run([ _ffmpeg(), "-y", "-f", "concat", "-safe", "0", "-i", list_path, "-codec:a", "libmp3lame", "-b:a", "128k", "-ar", "44100", "-ac", "2", output_mp3, ], ch

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and instructs use of environment variables, local file ingestion/writing, network fetching, cloud upload, and shell-based setup/CLI execution, but no explicit permissions are declared. That mismatch can prevent informed consent and makes the skill harder to sandbox safely, especially because it handles external content and optional exfiltration to third-party services.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This module intentionally supports arbitrary external CLI execution, which materially expands the skill's capability beyond summarization into general local code/tool execution. In an agent environment, that is dangerous because prompts may contain sensitive source material and the invoked tool can read, transform, store, or exfiltrate that data without any control in this file.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill exposes a capability to run arbitrary external fetcher commands during URL ingestion, which is broader than its declared note-taking purpose and materially increases privilege. For an AI agent, this creates a dangerous tool-confusion path where untrusted content or prompts can steer the agent into invoking local executables not needed for summarization.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The delivery path allows configuration of an arbitrary executable via deliver.openclaw.binary and then invokes it with attacker-influenced arguments such as channel, target, message, and media path. In an agent setting, if untrusted skill configuration or prompt-driven settings can reach this field, the feature becomes a general local command-execution primitive rather than a narrowly scoped message-delivery integration.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code imports and executes Python from a user-configured filesystem path via importlib, which gives that external file full code-execution privileges inside the agent process. In a local-first agent skill, configuration may be influenced by users or other tooling, so this creates an explicit arbitrary-code execution extension point with no validation, sandboxing, signature check, or allowlist.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill shells out to an external binary chosen from configuration and appends configurable extra arguments, expanding the attack surface beyond simple file upload. Although shell=True is not used, this still permits execution of a non-rclone binary if rclone_bin is pointed elsewhere, and extra_args can alter behavior in security-relevant ways such as config selection, remote control options, or unexpected network destinations.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The invocation examples include broad natural-language phrases like 'help me understand this article' and 'summarize this link,' which can overlap with ordinary conversation. In agent environments, that raises the chance of accidental invocation on unintended content, potentially triggering network fetches, local file processing, or uploads without the user clearly intending to run this skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly supports webhook notifications, IM/chat delivery, and cloud uploads of generated artifacts derived from URLs, videos, screenshots, and raw text, but it does not clearly warn that sensitive source material may be transmitted to external services. Because the tool is designed to ingest potentially private content and create derived summaries, transcripts, slides, and audio, an unsuspecting user could leak confidential information to Slack, Discord, Teams, cloud drives, or AI/TTS providers.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The configuration explicitly supports uploading generated artifacts to third-party cloud providers, but the comments frame this as recommended and convenient without clearly warning that source-derived notes, audio, decks, and links may leave the local environment. In a local-first note-taking skill that may ingest arbitrary web pages, videos, and screenshots, this creates a meaningful risk of unintended data disclosure if users assume outputs remain local.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The webhook configuration allows posting titles and links to external HTTP endpoints, but the config text does not clearly warn that metadata about generated notes will be transmitted outside the local system. Even if only titles and links are sent, those fields can reveal sensitive topics, document names, or cloud URLs that broaden exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The direct delivery section supports pushing summaries and files into external chat platforms, but it lacks a prominent warning that outputs may be sent to third-party messaging channels or recipients. Because targets can be channel IDs, user IDs, or threads, misconfiguration or casual use could leak generated content into the wrong workspace or audience.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The CLI provider forwards full prompt contents to an external subprocess with no warning or consent mechanism in this code path. Because prompts may include captured web content, screenshots, notes, or source material, this can leak sensitive data to any configured local or wrapped remote tool, increasing privacy and supply-chain risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: URL ingestion performs outbound HTTP requests and stores fetched HTML/text locally without prominent user-facing disclosure at the call site. In a local-first agent tool, silent network access and persistent capture can expose browsing targets, internal URLs, or sensitive page content in contexts where the operator expected only local processing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The fetcher fallback runs a subprocess on user-provided URL input without a clear safety warning, creating a hidden execution boundary. Even without shell=True, this still permits execution of attacker-selected or operator-misconfigured binaries with untrusted network-derived arguments, which is risky for an autonomous agent skill.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Publishing can upload artifacts, post to webhooks, and deliver files to external services, but the command path does not prominently warn the user that local note contents may leave the machine. Given the skill's local-first framing, this mismatch can cause accidental data disclosure of summaries, audio, slides, or source-derived content.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This function sends generated summaries, links, and files to external chat/channel destinations with no in-code confirmation, policy gate, or explicit consent check at the point of transmission. In a local-first notebook tool that may ingest sensitive source material, silent exfiltration to Slack, Discord, Teams, Telegram, or similar services materially increases data leakage risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The dual-audio path sends script text to Microsoft's edge-tts online service, but there is no explicit consent, warning, or privacy boundary in code before transmitting potentially sensitive notebook content. In this skill's context, users may paste article summaries, transcripts, screenshots, or study notes that could contain private or proprietary information, so silent exfiltration to a third party is a meaningful privacy/security issue.

Ssd 1

Medium

Confidence: 89% confidence
Finding: Untrusted source text is inserted directly into the summarization prompt with no boundary markers or explicit instruction to treat source content as data rather than commands. This allows prompt injection from webpages, transcripts, or text inputs to manipulate downstream model behavior, potentially causing policy bypass, misleading summaries, or propagation of attacker instructions into later workflow stages.

Ssd 1

Medium

Confidence: 90% confidence
Finding: The talk-show generation step consumes summary or raw source content verbatim, enabling second-stage prompt injection where malicious instructions survive summarization and influence later outputs. In chained agent workflows, this compounds risk by letting attacker-controlled content shape additional artifacts such as audio scripts.

Ssd 1

Medium

Confidence: 91% confidence
Finding: Deck-plan generation mixes untrusted summary/source text with local image file paths in a single prompt without safeguards, allowing semantic prompt injection to influence slide structure and references to local files. Although this does not itself execute code, it can cause unintended disclosure of local context and attacker-controlled artifact generation in a multi-step pipeline.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal