ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

siyuan-task-skill

v1.0.0

Manage tasks in SiYuan Note via its HTTP API. Create, query, update, and organize tasks stored in the 任务清单 document (with a TASK database) and sub-documents for related materials. Use when the user mentions SiYuan, task management, or needs to track work items.

2· 1k·2 current·2 all-time
by@zhhkheaven
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (SiYuan task management) matches its code: it uses the SiYuan HTTP API to create/list/update tasks and related sub-documents. However the registry metadata claims no required environment variables or primary credential while the implementation expects and uses SIYUAN_API_URL, SIYUAN_API_TOKEN, and notebook IDs via a config.env file. Declaring 'no required env vars' is inconsistent with the actual need for an API token and URL.
Instruction Scope
SKILL.md and the scripts instruct the agent to read and modify a local config.env, call many SiYuan API endpoints (create docs, modify blocks, upload assets) and to write SiYuan storage JSON (/data/storage/av/<AV_ID>.json) via the API. Those actions are within the stated purpose (managing the TASK Attribute View and linked sub-documents), but writing AV JSON and using put_file to modify SiYuan storage is powerful — it can change view metadata and bind rows to documents. The instructions do not ask the agent to read unrelated system files or external endpoints beyond the SiYuan instance.
Install Mechanism
There is no install spec (instruction-only runtime plus included Python scripts). No third-party downloads or install hooks are present, which reduces installer risk. The skill does include Python scripts that will be executed by the agent when invoked.
!
Credentials
The code requires SIYUAN_API_URL and SIYUAN_API_TOKEN (and notebook/AV IDs) but the skill metadata lists no required env vars. Worse, the packaged repo already contains a populated config.env with a SIYUAN_API_TOKEN and internal IP (http://100.64.0.11:52487). Shipping a hardcoded token/URL in the skill bundle is inappropriate: if the token is valid and the runtime can reach that address, the skill could act with that credential. The number and type of credentials are reasonable for the feature, but their presence embedded in the package (not declared) is disproportionate and risky.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It reads and writes its own config.env file (normal for this tool) and calls SiYuan APIs. Autonomous invocation (disable-model-invocation false) is the platform default and not by itself problematic; combined with the embedded token this increases blast radius but there is no evidence the skill attempts to persist beyond its own files.
What to consider before installing
Key things to consider before installing: - The package contains a pre-filled config.env with a SIYUAN_API_TOKEN and a private/shared-space IP (100.64.0.11). This is sensitive — do not assume the token is harmless. If your runtime can reach that IP, the bundled token may allow access to someone else's SiYuan instance. - The skill metadata claims no required credentials, but the code needs SIYUAN_API_URL and SIYUAN_API_TOKEN and will read/write config.env. That mismatch indicates sloppy packaging or deliberate inclusion of credentials; either way you should not trust embedded tokens. - The code legitimately uses powerful API calls (create/remove docs, modify AV JSON via put_file). Those are expected for managing SiYuan tasks but can also be misused if the token is valid. Ensure the token has minimal privileges or use a dedicated token you control. - Recommended actions: ask the publisher for a source/homepage and a reason the token was bundled; replace the bundled config.env with your own values before running; review the full scripts locally; run the skill in an isolated environment or sandbox; and revoke the bundled token (or block the address) if you have any contact with that SiYuan instance. - If you cannot verify the origin or purpose of the embedded token/URL, avoid enabling autonomous invocation for this skill and prefer a version that requires you to explicitly supply credentials at runtime.

Like a lobster shell, security has layers — review code before you run it.

latestvk977xeezv4wnnvxzdgfgw7gkys80wdm6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments