Back to skill

Security audit

书搭子

Security checks across malware telemetry and agentic risk

Overview

The skill appears useful for a reading companion, but its privacy and local-only claims conflict with optional remote TTS and arbitrary external command execution.

Review this before installing if you care about local-only privacy. Do not enable edge-tts or any remote TTS backend for sensitive notes unless you are comfortable sending that text to a third-party service. Avoid setting BOOK_COMPANION_TTS_CMD unless you fully trust the command, and treat the plaintext user profile as private data that may be exposed through backups, sync folders, or shared workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The README claims the skill is strictly self-contained and does not touch external paths, yet it explicitly supports executing a TTS command from system PATH or an arbitrary path supplied via an environment variable. That creates a trust-boundary mismatch: operators may believe the skill is confined to its own directory when in fact it can invoke external executables and scripts, increasing the chance of unintended command execution or unsafe integrations.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The README states there are zero network requests, but the documented example uses edge-tts, which typically sends text to a remote Microsoft-backed service. This is dangerous because users may provide sensitive reading notes or emotional log content under the assumption of local-only processing, causing unintentional data exfiltration and privacy violations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill permits execution of a command string sourced from the BOOK_COMPANION_TTS_CMD environment variable, which expands the trust boundary beyond the declared local data directory. Even if framed as optional TTS, invoking a shell-style command from configuration can enable arbitrary command execution or unintended access to system resources if the variable is maliciously set or improperly templated.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The document claims it will not request environment variables, yet later relies on an environment variable to control external command execution. This inconsistency is security-relevant because it can mislead reviewers and users about the real permissions and trust assumptions of the skill, especially where external process execution is involved.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly states that personal preferences and emotional-pattern data are stored locally in plaintext, which creates a real confidentiality risk if the device, workspace, backups, or synced files are accessed by others. Because the profile includes sensitive emotional-support cues and behavioral preferences, exposure could enable privacy harm, profiling, or social engineering even without code execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.