siyuan
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation suggests an alternative configuration using
npx -y @porkll/siyuan-mcp. This command downloads and executes code from the npm registry without verifying the source or integrity of the third-party package. - [COMMAND_EXECUTION]: The skill operates by instructing the agent to execute shell commands (
curlandjq). These commands use environment variables ($SIYUAN_TOKEN,$SIYUAN_URL) for authentication and endpoint configuration, executing directly in the shell environment. - [DATA_EXFILTRATION]: While the skill correctly uses environment variables for sensitive tokens, it interacts with a user-defined
SIYUAN_URL. A malicious configuration could direct the API token and sensitive note data to an unauthorized remote server. - [PROMPT_INJECTION]: The skill allows the agent to ingest content from a self-hosted knowledge base, which serves as an untrusted data source that could contain malicious instructions (Indirect Prompt Injection).
- Ingestion points: Document reading endpoints such as
/api/block/getBlockKramdownand/api/export/exportMdContentdefined inSKILL.md. - Boundary markers: Absent. The skill does not provide delimiters or instructions to the agent to treat retrieved note content as untrusted data.
- Capability inventory: The skill possesses broad capabilities, including creating, updating, and deleting blocks/documents, and executing SQL queries via
curl. - Sanitization: Absent. No validation or escaping is applied to the data retrieved from the API before it is processed by the agent.
Audit Metadata