ClawHub

article-bookmarker

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed article bookmarker that saves articles locally and can sync them to a configured GitHub repository.

Install this only for a dedicated bookmark folder. Leave ARTICLE_BOOKMARK_GITHUB unset if you want local-only storage, and do not bookmark private, proprietary, or sensitive pages unless you are comfortable with them being stored in local files, git history, and possibly a private GitHub repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill presents itself as a bookmark/summarization helper, but its documented workflow includes initializing a git repository and committing/pushing article contents and metadata to GitHub. That mismatch is security-relevant because users may provide private article text, notes, or URLs without realizing the skill persists and synchronizes them to a remote service, creating a real risk of unintended data disclosure and overbroad trust.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatically creating a GitHub repository and pushing bookmark content to a remote service can exfiltrate article metadata, notes, summaries, and potentially sensitive URLs outside the local environment. In a bookmarking skill, remote sync is plausible, but auto-creation/push without strong consent boundaries makes the capability materially more dangerous because users may not expect private reading data to be published or stored off-device.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description 'Use when the user wants to bookmark or collect articles' is broad enough that the skill may be invoked for many article-handling requests without making clear that it writes files and pushes them to GitHub. In context, broad triggering increases the chance of accidental invocation on sensitive content and unintended exfiltration to remote storage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to save bookmark files and then run a save step that commits and pushes changes, but it does not clearly warn users that article bodies, summaries, tags, and metadata may be stored in git history and uploaded to GitHub. This is dangerous because even a private repository can expose sensitive research, proprietary text, or personal reading history, and git history makes accidental disclosure harder to fully undo.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example instructs the agent to save full extracted article content, summaries, URLs, and metadata to a local directory and update an index, but it does not tell the user that content will be stored persistently on disk. That creates a privacy and data-retention risk, especially if bookmarked pages contain personal, proprietary, or sensitive information the user did not expect to be written to local files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow says to use web_fetch on a user-provided URL without warning that this will make a network request to a remote site. Even when user-initiated, this can disclose browsing intent, trigger requests to untrusted infrastructure, or fetch internal/private URLs if the environment allows it, so the absence of a network/privacy notice is a real security concern.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal