Back to skill

Security audit

Readwise & Reader API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Readwise integration, but it can read, change, and delete items in the user's Readwise or Reader account when given an API token.

Install only if you are comfortable giving the skill a Readwise API token. Treat READWISE_TOKEN like a password, use the skill only for explicit Readwise or Reader tasks, and verify the exact document or highlight ID before any update or delete operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents use of a shell-based CLI (`scripts/readwise.sh`) but does not declare corresponding permissions or clearly scope what shell access is needed. This creates a mismatch between the skill's apparent trust boundary and its actual execution capabilities, which can lead to unintended command execution risk or insufficient review of how external inputs are passed into the shell script.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The description activates on very broad phrases such as interacting with Readwise/Reader "in any way," which can cause the skill to trigger for generic reading, saving, browsing, or search requests beyond the user's specific intent. Overbroad activation increases the chance that a credentialed external-service skill is invoked unnecessarily, exposing user data or causing unintended state-changing actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes destructive delete operations (`readwise.sh delete DOC_ID` and `highlight-delete`) without warning, confirmation guidance, or mention of reversibility. In a skill that manages user content on an external service, this makes accidental or overly eager deletion more likely and can cause irreversible loss of saved documents, highlights, or notes.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The setup instructs users to provide a `READWISE_TOKEN` but does not clearly warn that the skill will use that credential to access and modify data in external Readwise/Reader accounts. Missing disclosure weakens informed consent and may cause users to grant broad account access without understanding the scope of reads, writes, updates, and deletes the skill can perform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete command permanently removes a Reader document immediately after receiving an ID, with no confirmation prompt, dry-run mode, or safeguard against accidental invocation. In an agent/tooling context, this is risky because mistaken argument selection, prompt injection influencing the agent, or user ambiguity can cause irreversible data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The highlight-delete command deletes a highlight solely based on the provided ID and then reports success, without any user-visible warning or confirmation step. This creates a realistic accidental-destruction path in agent workflows where the wrong item may be selected or where untrusted content can steer the agent into issuing destructive actions.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Body fields (all optional): `title, author, summary, published_date, image_url, seen, location, category, tags, notes`

### DELETE /delete/{document_id}/ — Delete Document

Returns 204.
Confidence
88% confidence
Finding
DELETE /delete/{document_id}/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Body: `{text?, note?, location?, url?, color?}` — color: yellow, blue, pink, orange, green, purple

### DELETE /highlights/{id}/ — Delete Highlight

### Highlight Tags
Confidence
88% confidence
Finding
DELETE /highlights/{id}/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `GET /highlights/{id}/tags/` — list tags
- `POST /highlights/{id}/tags/` — add tag `{name: "tag"}`
- `DELETE /highlights/{id}/tags/{tag_id}` — remove tag

### GET /books/ — List Books
Confidence
84% confidence
Finding
DELETE /highlights/{id}/tags/{tag_id}`

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.