youdaonote
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches an installation script from
artifact.lx.netease.com. This is a verified official domain belonging to the developer, NetEase. - [REMOTE_CODE_EXECUTION]: The skill executes the official installation script by piping it to the shell (
curl | bash). This setup behavior is localized to the initial configuration of the vendor's own CLI tools. - [COMMAND_EXECUTION]: It utilizes a custom CLI (
youdaonote) to perform legitimate note-taking tasks such as creating, reading, and searching notes. To mitigate command injection risks when handling large or complex user content, the skill correctly instructs the agent to write content to temporary files before processing. - [SAFE]: The skill implements best practices for secret management by directing users to generate API keys on the official vendor site (
mopen.163.com) and storing them via the CLI's native configuration system rather than hardcoding them.
Audit Metadata