Security audit

article-link-skill

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it sends an account import token and article URLs to a remote service while disabling HTTPS certificate checks.

Review before installing. Use only if you are comfortable sharing submitted article URLs with pick-read.vip, and do not use a real Import Token until the publisher removes the unverified TLS contexts and documents the network, token, and privacy behavior clearly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly requires reading a local config file for an import token and invoking a Python CLI that communicates with a remote API, which implies filesystem, environment, and network access beyond what is declared in metadata. Undeclared capabilities weaken sandboxing and review expectations, making it easier for a skill to access secrets or exfiltrate data without administrators realizing the true risk surface.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The module-level documentation claims the runtime uses standard urllib without hard-coded credentials, but the implementation later disables TLS certificate and hostname verification for HTTPS requests. This mismatch is dangerous because it can mislead reviewers and operators into trusting transport security that is not actually present, increasing the likelihood that tokens and article data are exposed to man-in-the-middle interception.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The code explicitly sets check_hostname = False, verify_mode = ssl.CERT_NONE, and uses ssl._create_unverified_context(), which disables core TLS protections for every API call. Because this skill sends an Import Token and retrieves article content over the network, an attacker on the network path could impersonate the API server, steal the token, tamper with responses, or inject malicious content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly instructs users to configure an Import Token and submit article URLs to the external service at pick-read.vip, but it does not clearly disclose the privacy and data-transmission implications of sending reading interests, article targets, and authentication material to a third-party API. In a skill context, users may assume local processing, so the missing warning increases the risk of uninformed credential use and unintended disclosure of sensitive browsing or research activity.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal