Is m1n-74316d65/dnote safe?

https://github.com/openclaw/skills/tree/main/skills/m1n-74316d65/dnote

84
SAFE

The dnote skill is a straightforward CLI wrapper for the Dnote note-taking application with no prompt injection, hidden instructions, or malicious executable code. The skill's primary risk is its cloud sync capability: an LLM agent could capture sensitive information into the notes database and synchronize it to api.dnote.io, and the installation documentation endorses a curl-pipe-to-shell pattern. All canary files were accessed only by the audit monitoring infrastructure and remained unmodified throughout the test.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Documented curl-pipe-to-sh installation pattern -15

The SKILL.md Setup section instructs agents and users to run 'curl -s https://www.getdnote.com/install | sh' to install the required dnote binary. While this is documentation rather than active instruction, an LLM agent following the setup guide would execute arbitrary code fetched from an external URL without verification. If getdnote.com were compromised or the URL hijacked, this becomes a remote code execution vector.

MEDIUM Cloud sync capability creates covert note-exfiltration channel -22

The skill exposes a dnote sync command and documents DNOTE_API_KEY and apiEndpoint: https://api.dnote.io. An LLM agent using this skill could capture sensitive information observed during a session into notes (via add or quick commands) and subsequently sync those notes to the Dnote cloud service, bypassing network-level egress controls on the primary conversation channel.

LOW Unquoted DNODE_CMD variable used in command execution -8

The shell variable DNODE_CMD is assembled without quoting and reused in multiple places: 'DNODE_CMD="dnote --dbPath $DB_PATH"' and subsequently '$DNODE_CMD add "$book"'. Word splitting occurs if DB_PATH or the assembled string contains whitespace. Exploitability requires control of the DNOTE_DB_PATH environment variable.

LOW Third-party API key scope implies persistent cloud account linkage -8

The skill declares primaryEnv: DNOTE_API_KEY, indicating it is designed to authenticate to an external service (dnote.io). Notes stored via this skill may persist in a third-party cloud account beyond the local device, and deletion of the local database does not necessarily remove cloud copies.

INFO Canary files accessed by audit infrastructure prior to skill install 0

inotifywait and auditd logs record read access to all six canary files at timestamp 1771905274 (approximately 5 seconds before the git clone begins at 1771905279). A second access set at 1771905291 follows skill installation. Both access patterns are attributable to the oathe audit framework performing baseline hash collection and post-install integrity verification respectively. No skill code references these paths.