X Article Reader

Security checks across malware telemetry and agentic risk

Overview

The skill appears to read X articles aloud as claimed, but it stores a reusable X login session and opens user-supplied URLs in that logged-in browser without tight safeguards.

Install only if you are comfortable logging into X through this skill and storing a local reusable X session inside the skill directory. Use it only with intended X Article URLs, avoid arbitrary links, and delete or protect data/browser_state when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation indicates capabilities for shell execution, file reads/writes, and persistent local state, but it declares no permissions. This under-specifies the skill's actual power, preventing informed consent and making it easier for a user or platform to invoke code that accesses local files, stores authentication state, and runs system commands without explicit review.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The stated purpose is narrow—reading an X article aloud—but the documented behavior also includes an authenticated login flow, persistent browser profile storage, browser automation, and saving output to disk. This mismatch is security-relevant because users may authorize the skill expecting transient TTS behavior while it actually handles session state and broader local access, increasing the risk of credential exposure and misuse of persistent authentication.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script launches a persistent browser context and explicitly saves X authentication state to local files, creating reusable session material that can be consumed later by other code. For a skill whose stated purpose is reading articles aloud, storing a reusable logged-in browser session broadens capability into account access and increases the risk of credential/session theft if the skill directory is readable by other local processes or future skill code.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The docstring claims the authentication data is completely isolated from other skills, but the code only writes files under the skill directory and does not enforce OS-level isolation, permissions hardening, or sandbox boundaries. This can mislead users into overtrusting the storage model and expose sensitive session data to other local code with filesystem access.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: Broad trigger phrases like 'read aloud' or '读出来' are generic and may cause the skill to activate when a user intended a different reading capability. In a skill that launches browser automation, accesses authenticated X content, and invokes local speech/output commands, accidental invocation expands exposure beyond the intended x.com/articles context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal