ClawHub

微信读书伴侣

Security checks across malware telemetry and agentic risk

Overview

This WeRead companion skill handles sensitive reading data, but its network access, API key use, reports, reviews, and note exports are disclosed and aligned with its stated purpose.

Install only if you are comfortable giving the skill access to your WeRead API key and private reading history. Avoid exporting notes to shared, synced, or public folders, and review generated reports or JSON before sharing them because they may contain personal reading activity and public reviewer identifiers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs the agent to use environment variables, read files from another installed skill, write exported notes, and access remote network resources, but the manifest does not declare corresponding permissions. This creates a transparency and policy gap: operators may approve the skill without realizing it can access secrets, local files, and external endpoints, which is especially relevant here because the skill handles personal reading notes and depends on an API key.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The default prompt is broadly phrased and directly invokes the skill for a common user goal, which can increase unintended or overly eager activation when a user mentions related reading tasks. Because the skill can perform recommendation, analysis, and export-style workflows, accidental invocation could expose user reading context or trigger actions the user did not explicitly intend.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly supports exporting personal highlights and thoughts to an arbitrary local path, but it provides no user-facing warning about the sensitivity of that content or the risks of writing it to disk. In a reading-assistant context, notes may contain private reflections, quotations, or sensitive personal information, so silent export increases the chance of unintended disclosure through shared machines, synced folders, backups, or insecure destinations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script exports a user's personal WeRead highlights and thoughts either to stdout or to an arbitrary output file, and the content clearly contains sensitive reading history and annotations. In a skill specifically designed for note export, this behavior is expected, but the lack of an explicit warning/confirmation increases the risk of accidental disclosure into terminal logs, chat transcripts, shared shells, or insecure files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script collects and outputs bookshelf metadata including private item counts, per-book privacy flags, recent reading activity, and titles/authors of recently accessed books. In a reading-companion skill, this is legitimately useful, but it still exposes sensitive behavioral data without any in-script warning, confirmation, or minimization, which can lead to unintended disclosure if the report is shared or logged.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code fetches and returns public review metadata that includes persistent user identifiers and, via clean_author, avatar URLs. Even if the source data is publicly accessible, aggregating and reformatting it in a skill output increases ease of collection and redistribution, and the file provides no disclosure, minimization, or consent prompt before exposing third-party profile data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The single-review lookup pulls author fields from a network response and exposes them directly, including userVid and avatar in markdown output and the full raw response in JSON mode. This creates unnecessary disclosure of third-party data and can enable profiling or downstream misuse, especially because reviewId-based lookup may make targeted retrieval easy.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal