ClawHub

X To Kindle

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible Kindle delivery purpose, but it can email any local file using stored SMTP credentials and gives unsafe plaintext password guidance.

Review before installing. Use only with files or X/Twitter content you explicitly want emailed to your Kindle, do not put SMTP app passwords in TOOLS.md or other markdown files, prefer protected environment secrets or a secret manager, and use a dedicated revocable app password for the sender account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill references environment-based secrets like SMTP credentials but does not declare permissions for accessing them. That creates hidden capability beyond what a reviewer or policy system can easily reason about, increasing the chance of unauthorized secret use. In an agent context, undeclared access to env-stored credentials is a real security concern even if the feature is intended.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented tool behavior allows sending arbitrary local files via email, while the skill claims to convert X posts to Kindle documents. That mismatch is dangerous because it turns a narrow content-conversion skill into a general exfiltration or file-transmission mechanism using stored SMTP credentials. In agent systems, description-behavior mismatch materially increases the risk of misuse and unsafe tool invocation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation tells users to store SMTP app passwords in TOOLS.md, which broadens credential exposure from a secret store into general agent-readable documentation. This creates unnecessary access paths for sensitive data and makes accidental disclosure, logging, or model reproduction of secrets more likely.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description expands the advertised capability from sending X/Twitter links to Kindle into handling local files, which is a materially broader and more sensitive operation. This can mislead users or downstream agents into granting the skill access to local filesystem content outside the expected trust boundary, increasing risk of unintended file exfiltration or abuse if the implementation accepts arbitrary paths.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script accepts an arbitrary local file path from the command line and emails that file to a configured Kindle address, without validating that the input is an X/Twitter URL or that the file was produced by a safe tweet-rendering step. This creates capability far broader than the stated skill purpose and can be abused to exfiltrate sensitive local files under the guise of a Kindle helper.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code implements a generic local-file emailer: it reads any attacker- or user-supplied path and sends the raw contents as an attachment to an external email address. In the context of a skill supposedly for sending X/Twitter posts to Kindle, this is unjustified functionality that materially increases the risk of data exfiltration from the host environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Instructing users to place SMTP credentials and app passwords in TOOLS.md normalizes insecure secret handling without warning or safeguards. Because markdown documentation is commonly visible to agents, developers, logs, and version control, this materially raises the chance of credential leakage and downstream account compromise.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends the attachment immediately once it can open the file and authenticate to SMTP, without any final confirmation or safety prompt that identifies the exact file path, filename, and destination email. When combined with arbitrary file-path input, the lack of a pre-send check makes accidental or unauthorized disclosure significantly more likely.

Ssd 3

High
Confidence
98% confidence
Finding
Storing live email and Kindle credentials in a markdown file creates a natural-language secret exposure path to the agent and future outputs. In LLM-integrated environments, plaintext secrets in docs are especially dangerous because they can be surfaced in responses, prompts, debugging artifacts, or unrelated tool flows, enabling credential theft and unauthorized email sending.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal