Url Reader

Security checks across malware telemetry and agentic risk

Overview

This URL-reading skill mostly does what it claims, but it has review-worthy privacy and persistence risks around saving fetched content, using third-party URL processors, and retaining WeChat login session data.

Install only if you are comfortable with URL content and images being saved locally and with some URLs or page data potentially being sent to third-party services. Avoid using it for private, internal, tokenized, or regulated links unless you have confirmed a local-only mode. If you use the WeChat reader, treat the saved browser state as a login secret and delete it when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script is designed to preserve and reuse a logged-in WeChat browser session, which grants ongoing access to account-scoped content beyond a single interactive run. In a generic URL-reading skill, persistent personal session reuse increases the risk of unauthorized access if the auth file is copied, reused by other components, or left on a shared system.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code writes Playwright storage state to a JSON file, which can contain cookies and session artifacts sufficient to impersonate the logged-in WeChat session. Anyone with filesystem access to that file may be able to reuse the session without re-authenticating, turning local file exposure into account compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises that content and images are 'automatically saved to local' but does not clearly disclose the filesystem side effect, default storage location, or user consent model. This can lead users to unintentionally persist sensitive or copyrighted material on disk, especially in an agent environment where users may assume a read-only fetch operation.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documented architecture routes user-supplied URLs and retrieved page content through third-party services such as Firecrawl and Jina, but the README does not warn users that their inputs and potentially sensitive page data may be transmitted off-box. In a URL-reading skill, this materially increases privacy and data-handling risk because users may paste internal, private, or regulated links expecting local processing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script constructs and displays a Jina Reader URL that forwards the user-supplied target URL to an external third-party service. In the context of a URL-reading skill that claims to read arbitrary URLs, this can expose private, internal, tokenized, or sensitive URLs to an external provider without explicit consent, validation, or warning, creating a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script writes scraped content and downloaded images to disk, including into a hard-coded default directory, and creates directories/files automatically. In an agent context, implicit filesystem writes are security-relevant because they can persist untrusted remote content locally, surprise the user, overwrite expected workspace state, and create privacy/compliance issues if the user was not clearly warned or did not explicitly opt in.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Sensitive authentication material is persisted locally with no meaningful warning about credential sensitivity, retention, or sharing risks. In an agent skill context, this is more dangerous because users may treat the tool as a simple reader and not realize it creates reusable login state on disk that other processes or users could access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script persists Playwright storage state, which can include cookies and other session artifacts for WeChat, to a local JSON file without any access controls, expiry, or user-facing warning. In a URL-reading skill that may be run on shared systems or agent infrastructure, this can enable unintended session reuse or theft if the file is accessed by another user, process, or later task.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill prominently advertises automatic local saving of fetched content and downloaded images, but the user-facing description does not clearly warn that invoking the skill will write files to a fixed local directory. This can lead to unexpected persistence of potentially sensitive or copyrighted material on disk, especially in shared or synced environments, and reduces informed user consent.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The documented workflow routes user-supplied URLs and potentially page contents through third-party services such as Firecrawl and Jina, yet there is no prominent privacy warning or consent step. This is dangerous because submitted links may contain private tokens, internal resources, or sensitive browsing targets, and the fetched content may be transmitted to external providers outside the user's control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal