Back to skill

Security audit

Blog to Kindle

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can automatically email generated files through Mail.app to a built-in personal Kindle address, so it needs review before use.

Review before installing. Use the fetch and EPUB generation pieces locally first, remove the built-in Kindle email address, require your own recipient every time, and confirm the exact file and destination before allowing Mail.app or osascript to send anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions even though its documented workflow clearly involves network access, local file reads/writes, shell execution, and email automation via local Mail.app. This is dangerous because users and policy systems cannot accurately assess or constrain what the skill can do, increasing the chance of unexpected data access or outbound transmission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior does not fully match the advertised description: it relies on Mail.app/AppleScript for sending, exposes a hardcoded default recipient, and overstates supported sites and cover-generation capabilities. Description-behavior mismatches are dangerous because they can mislead users into approving actions they did not expect, especially when those actions include transmitting content externally.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The AppleScript automates Mail.app to create and send an outbound email with an attached EPUB, which is OS-application control that can transmit local files externally. In the context of a skill that processes user content, this is risky because it reduces user visibility and confirmation before data leaves the system, especially when paired with a prefilled recipient.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script hard-codes a default Kindle email address, causing documents to be sent to a fixed recipient if the caller omits `--kindle-email`. In a skill intended to send user-selected content to Kindle, this can misdirect private documents to an unrelated mailbox and create an unintended data exfiltration path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow instructs sending compiled EPUBs to a Kindle email address without clearly warning that the blog content and metadata will be transmitted through email. This creates a privacy and data-handling risk, especially for custom sites or user-supplied content that may contain sensitive material or copyrighted text.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Publishing and defaulting to a specific Kindle email address is dangerous because it can cause accidental exfiltration of generated EPUBs to the wrong recipient if users do not override it. In this skill's context, the risk is elevated because the whole workflow culminates in automated email delivery, so a bad default can directly route user content to an unintended external account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow includes a hard-coded Kindle email address in an automated Mail.app send flow without any warning that the generated ebook will be transmitted to an external address. This creates a clear data-disclosure risk if the EPUB contains private scraped content, annotations, or unintended files, and the hard-coded destination increases the chance of sending to the wrong recipient.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command-line example sends the EPUB to an external Kindle email address without a user-facing disclosure or confirmation step. While this is a sample command rather than hidden behavior, it still normalizes outbound transmission of generated content and could lead users to expose private or copyrighted material unintentionally.

Unvalidated Output Injection

High
Category
Output Handling
Content
end tell
    '''
    
    result = subprocess.run(
        ["osascript", "-e", applescript],
        capture_output=True,
        text=True
Confidence
98% confidence
Finding
subprocess.run( ["osascript", "-e", applescript], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.