Bookmark Organizer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local bookmark organizer with an optional link-checking mode that users should treat as privacy-sensitive.

Install only if you are comfortable processing your bookmark export locally and storing the generated Markdown files. Use --check-links only when you are comfortable contacting every bookmarked URL; avoid it for exports containing intranet links, account-specific URLs, or links with embedded tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script is presented as a bookmark organizer, but when --check-links is enabled it makes live outbound requests to every bookmark and executes an external program to do so. In a skill/agent context this can unexpectedly disclose a user's browsing interests to remote servers and trigger unanticipated network activity against untrusted destinations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Each bookmark URL is transmitted to the corresponding remote site during link checking, which may reveal private or sensitive bookmark contents such as internal services, personal documents, or research topics. Because the script does not prominently warn about this privacy consequence, users may enable the feature without understanding that their bookmark list is being disclosed externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal