Skillv1.0.0

ClawScan security

siyuan-task-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:36 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code is coherent with a SiYuan task manager, but it embeds a SiYuan API URL and token in the bundled config and the package metadata claims no required credentials — that mismatch (and the baked-in token) is a notable red flag.
Guidance: Key things to consider before installing: - The package contains a pre-filled config.env with a SIYUAN_API_TOKEN and a private/shared-space IP (100.64.0.11). This is sensitive — do not assume the token is harmless. If your runtime can reach that IP, the bundled token may allow access to someone else's SiYuan instance. - The skill metadata claims no required credentials, but the code needs SIYUAN_API_URL and SIYUAN_API_TOKEN and will read/write config.env. That mismatch indicates sloppy packaging or deliberate inclusion of credentials; either way you should not trust embedded tokens. - The code legitimately uses powerful API calls (create/remove docs, modify AV JSON via put_file). Those are expected for managing SiYuan tasks but can also be misused if the token is valid. Ensure the token has minimal privileges or use a dedicated token you control. - Recommended actions: ask the publisher for a source/homepage and a reason the token was bundled; replace the bundled config.env with your own values before running; review the full scripts locally; run the skill in an isolated environment or sandbox; and revoke the bundled token (or block the address) if you have any contact with that SiYuan instance. - If you cannot verify the origin or purpose of the embedded token/URL, avoid enabling autonomous invocation for this skill and prefer a version that requires you to explicitly supply credentials at runtime.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (SiYuan task management) matches its code: it uses the SiYuan HTTP API to create/list/update tasks and related sub-documents. However the registry metadata claims no required environment variables or primary credential while the implementation expects and uses SIYUAN_API_URL, SIYUAN_API_TOKEN, and notebook IDs via a config.env file. Declaring 'no required env vars' is inconsistent with the actual need for an API token and URL.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to read and modify a local config.env, call many SiYuan API endpoints (create docs, modify blocks, upload assets) and to write SiYuan storage JSON (/data/storage/av/<AV_ID>.json) via the API. Those actions are within the stated purpose (managing the TASK Attribute View and linked sub-documents), but writing AV JSON and using put_file to modify SiYuan storage is powerful — it can change view metadata and bind rows to documents. The instructions do not ask the agent to read unrelated system files or external endpoints beyond the SiYuan instance.
Install Mechanism: okThere is no install spec (instruction-only runtime plus included Python scripts). No third-party downloads or install hooks are present, which reduces installer risk. The skill does include Python scripts that will be executed by the agent when invoked.
Credentials: concernThe code requires SIYUAN_API_URL and SIYUAN_API_TOKEN (and notebook/AV IDs) but the skill metadata lists no required env vars. Worse, the packaged repo already contains a populated config.env with a SIYUAN_API_TOKEN and internal IP (http://100.64.0.11:52487). Shipping a hardcoded token/URL in the skill bundle is inappropriate: if the token is valid and the runtime can reach that address, the skill could act with that credential. The number and type of credentials are reasonable for the feature, but their presence embedded in the package (not declared) is disproportionate and risky.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or global agent settings. It reads and writes its own config.env file (normal for this tool) and calls SiYuan APIs. Autonomous invocation (disable-model-invocation false) is the platform default and not by itself problematic; combined with the embedded token this increases blast radius but there is no evidence the skill attempts to persist beyond its own files.