Hi Lite

Security checks across malware telemetry and agentic risk

Overview

Hi-Lite appears intended for Kindle highlight management, but its Amazon fetch mode stores an authenticated Amazon browser session locally and is not clearly bounded or documented enough.

Manual import and local search are comparatively contained. Review carefully before using /hi-lite fetch: it opens Amazon, may require you to sign in, and saves reusable Amazon session data locally. Use it only on a trusted machine, and remove ~/.openclaw/workspace/hi-lite/.browser-data/ when you no longer want that session retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The README makes an absolute privacy claim that nothing is sent to any server, but the documented auto-fetch feature clearly connects to Amazon and requires browser-based authentication. This can mislead users into enabling networked functionality under false assumptions about data flow, which is a real security/privacy documentation issue even if the transfer is only to Amazon as part of the feature.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is marketed as 'locally, for free' and 'no cloud,' yet later advertises direct fetching from Amazon over the network. Even if the core storage is local, this contradiction can cause users to trust the tool more than warranted and overlook that credentials, session cookies, and reading data may be involved in a live browser session with a third party.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill markets itself as a local-only highlight tool, but later includes a web automation flow that logs into Amazon and scrapes data from a remote service. This discrepancy can mislead users about network access, credential exposure, and the true trust boundary of the skill.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: Claiming that all data stays local is inaccurate because the fetch workflow requires visiting Amazon and retrieving content from a remote website. Even if downloaded data is stored locally afterward, the misleading statement can cause users to underestimate privacy and account-security implications.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to write and execute a generated Python scraper and shell commands, which materially expands its power from simple note management into code execution and browser automation. If triggered unexpectedly or modified, this creates a larger attack surface including arbitrary command execution, unsafe script generation, and handling of authenticated sessions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The search triggers include broad natural-language phrases that are likely to overlap with ordinary conversation, increasing the chance the skill activates when the user did not intend to use it. Unintended activation matters here because the skill can read local files and, in some flows, set up state or perform follow-on actions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Phrases like 'surprise me' and 'give me a random quote' are common conversational language and may accidentally trigger the skill outside the user's intended context. Because the action reads stored highlights and reveals content, accidental invocation can expose private reading notes in the wrong conversation context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Collection-creation triggers such as 'create a [theme] collection' are underspecified and can collide with normal requests unrelated to this skill. Since collection creation writes files and curates data automatically, accidental invocation can cause unintended persistence and modification of the workspace.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill persists Amazon session cookies in a local browser profile without prominently warning users about the security and privacy consequences. Persistent authenticated session data can be reused by other local processes or users with filesystem access, increasing the impact of compromise beyond the highlights themselves.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal