Back to skill

Security audit

X To Kindle

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible Kindle-delivery purpose, but it can email arbitrary local files using SMTP credentials and gives unsafe plaintext credential-storage guidance.

Review before installing. Use only with files or X/Twitter content you explicitly want emailed to your Kindle. Do not put SMTP app passwords in TOOLS.md or other markdown files; use protected environment secrets or a secret manager, and prefer a dedicated revocable sender account/app password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation relies on environment variables for SMTP credentials but does not declare corresponding permissions, creating a transparency and policy gap. In an agent setting, undeclared access to sensitive configuration increases the chance that email credentials are used without clear user awareness or review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior exceeds the stated purpose: the tool can send arbitrary local files as attachments and use SMTP credentials to send email, while the high-level description suggests only converting X posts to Kindle format. That mismatch is dangerous because it can hide broader data-exfiltration capability behind a benign-seeming workflow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation instructs users to place an SMTP app password and Kindle address into TOOLS.md, a plaintext markdown file that may be broadly accessible to the agent or other tooling. Storing reusable email credentials this way materially increases the risk of credential disclosure and subsequent account abuse.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The package description claims the skill can send local files to Kindle, which exceeds the declared skill purpose of sending X/Twitter posts. This kind of scope expansion is dangerous because downstream reviewers, users, or agent frameworks may trust the metadata and permit file-handling behavior that increases access to local data and exfiltration risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script accepts an arbitrary local file path from the command line and emails that file to the configured Kindle address, which is broader than the stated purpose of sending X/Twitter posts or threads. In a skill context, this creates a generic file-transfer/exfiltration capability that could be abused to send sensitive local files unrelated to the user’s request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads any file specified by `file_path` and transmits its contents over email to an external recipient, which is a direct exfiltration path. Because this capability is not necessary for the advertised X/Twitter-to-Kindle functionality, the mismatch between stated purpose and actual behavior materially increases suspicion and risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells users to store SMTP and Kindle credentials without warning about their sensitivity or the risks of exposure. Even if intended for convenience, this weak secret-handling guidance encourages insecure operational practices that can lead to unauthorized email access.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends attached file contents over SMTP to an external email address without any user-facing disclosure, confirmation, or data-sensitivity warning. Even if TLS is used in transit, users may not realize local document contents are being transmitted off-host, increasing the chance of inadvertent disclosure of sensitive information.

Ssd 3

High
Confidence
99% confidence
Finding
Directing users to store sensitive email credentials in a plaintext markdown file is a concrete secret-disclosure vulnerability. If the file is indexed, logged, synced, or exposed to the agent runtime, attackers could reuse the app password to send email or access connected services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.