Back to skill

Security audit

Bookworm

Security checks across malware telemetry and agentic risk

Overview

Bookworm is a local command-line logging tool that stores user-entered notes on disk; its main risk is ordinary privacy exposure from plain-text local logs, not hidden or malicious behavior.

Install only if you are comfortable with a local Bash tool that keeps your entries and exports in plain text under `~/.local/share/bookworm/`. Do not log secrets or highly sensitive personal/work information, verify what local command or alias will run as `bookworm`, and periodically delete the data directory or old exports if you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a book-reading tracker, but the documented functionality is a much broader generic productivity and logging system. This matters because users or policy layers may grant the skill access or trust based on the narrower stated purpose, while the broader behavior enables collection, storage, search, and export of arbitrary personal data beyond reading activity.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation expands a reading-focused tool into a general work/personal tracker without clearly updating the declared scope. Scope drift is dangerous in agent ecosystems because a seemingly narrow skill can become a general-purpose data sink, increasing privacy exposure and making permission decisions less accurate.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill writes user-supplied content to plaintext files under a predictable local path and supports export of the collected data, but the description does not foreground the sensitivity of this storage model. Users may enter private reading habits, notes, reminders, or work items without realizing they are being retained in easily readable local logs.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script persistently stores user-provided content in local log files without clear upfront disclosure in the user-facing help or prompt surface. In the context of an agent skill, users may provide sensitive reading notes, reminders, plans, or personal data assuming ephemeral handling, which creates a confidentiality/privacy risk if the host is shared, backed up, or later inspected.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The export function aggregates all logged content into a new file on disk without a prominent warning, increasing the chance that sensitive user data is duplicated into a more portable and easily shared artifact. In an agent-skill setting, silent creation of consolidated exports can materially increase exposure through backups, accidental attachment, or access by other local users/processes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.