ClawHub

siyuan-task-skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to manage SiYuan tasks as claimed, but it ships with credentialed configuration and broad note/database modification powers that need user review before installation.

Before installing, replace config.env with your own endpoint and credentials, rotate the bundled SiYuan token if it was ever live, and avoid running init, migrate, delete, or attach-image unless you have backed up the target notebook and understand that the skill can make persistent changes to SiYuan content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares only an allowed Bash tool but documents and requires file reads, file writes, and network access to a SiYuan HTTP API, including writing back IDs and storing credentials in config.env. This permission/capability mismatch is dangerous because it obscures the real trust boundary and can cause the skill to be invoked without users or policy systems understanding that it can access local files and remote services.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The client exposes a much broader set of privileged SiYuan operations than the skill description requires, including arbitrary document, block, file, asset, SQL, and notification APIs. In an agent setting, this expands the blast radius of prompt injection, misuse, or implementation bugs: a task-management skill could be induced to modify or access unrelated notebook content and files.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The sql_query method accepts an arbitrary SQL statement and forwards it directly to the SiYuan API. In a task-management skill, this enables unrestricted querying of the underlying data store, which can expose unrelated notes or metadata and may support dangerous modifications depending on API behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The get_file and put_file methods permit arbitrary read/write access within the SiYuan data directory, far beyond task tracking needs. In an agent context, this can be abused to read sensitive workspace files, overwrite application data, or persist unauthorized changes unrelated to the user's requested task management workflow.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The initialization flow rewrites a local config.env file to persist AV and column identifiers. Although this supports setup, it gives the skill filesystem write capability outside normal task CRUD and could overwrite or corrupt configuration material if invoked unexpectedly or in the wrong environment. Because .env-style files often also contain tokens and endpoints, modifying them is security-sensitive even if the code only targets specific keys.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The _bind_row_to_doc method reads and writes /data/storage/av/{AV_ID}.json directly, modifying SiYuan internal storage rather than using supported API operations. Direct internal-file mutation bypasses normal validation and can corrupt application state, bind rows to unintended documents, or create persistence/manipulation behaviors beyond the declared task-management scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The migration/binding path again operates on SiYuan's internal AV JSON file and performs bulk rebinding of rows to documents. This is more dangerous than ordinary task management because it enables administrative-scale state manipulation and can mass-corrupt or relink records if identifiers are wrong or maliciously influenced.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger language is broad enough to match ordinary conversation about SiYuan, task management, or tracking work items, which increases the chance of unintended activation. In this skill, unintended activation matters because the skill can create, modify, rename, and delete notes and task records over the network, so a false invocation can lead to unwanted state changes in the user's notebook.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that deleting a task also deletes its sub-document, but it provides no explicit warning, confirmation step, or recovery guidance. Because this is a destructive action affecting both the database row and related document content, a mistaken command or ambiguous row_id selection can cause irreversible loss of user data.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The setup instructions direct users to place an API URL and token in config.env without any warning about protecting credentials, excluding the file from source control, or limiting filesystem exposure. This increases the likelihood of accidental token disclosure through commits, logs, backups, or overbroad file access by other tools.

Natural-Language Policy Violations

Low
Confidence
99% confidence
Finding
The file hardcodes a private SiYuan API endpoint, an API token, and notebook/database identifiers directly in the skill configuration. This exposes live credentials and internal service topology to anyone with access to the skill package, enabling unauthorized access to the user's notes/tasks and potentially broader lateral movement into a private network environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The client includes deletion methods for documents and blocks with no built-in safeguards, confirmations, or scoping checks. In an autonomous or semi-autonomous agent workflow, a bad prompt, logic error, or malicious instruction could cause irreversible content deletion outside the intended task scope.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The upload_asset method reads arbitrary local files and sends their contents to the SiYuan server without any local validation or disclosure at the code level. In an agent environment, this creates data exfiltration risk if the agent is induced to upload sensitive files under the guise of task management.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
delete_task removes both the associated sub-document and the database row with no confirmation, dry-run, or recovery mechanism. In an agent setting, a mistaken parameter, ambiguous user request, or prompt-manipulated action could cause irreversible data loss across multiple linked objects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Initialization silently rewrites config.env, changing persistent local configuration without a warning or confirmation step. This is dangerous in an agent context because setup actions can unexpectedly alter environment-specific settings and break future runs or interfere with secrets stored alongside other variables.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal