ClawHub

Audible Goodreads Deal Scout

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed Audible/Goodreads deal helper, but its optional Audible authentication stores durable account tokens and extra account/device data that users should review carefully.

Install only if you are comfortable with local Goodreads/notes artifacts and optional Audible token storage. Use the public, unauthenticated workflow unless member-visible prices are important to you. If you enable Audible auth, keep the auth file out of shared, synced, or backed-up folders, review delivery targets before sending, and enable cron only when you want scheduled runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill description understates the breadth of privileged behavior: beyond evaluating deals, it supports auth-token handling, cron registration, outbound delivery, diagnostics, and other operational actions. That mismatch can mislead users or reviewers into granting trust to a skill with broader capabilities than its top-level description suggests, increasing the chance of over-privileged installation or unsafe use.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file implements a full external login, authorization-code capture, device registration, token storage, and token refresh flow for Audible, which materially exceeds a deal-scout skill's stated scope. Even if intended to support member-price lookup, bundling account-authentication capability creates unnecessary access to user account tokens and expands the blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code impersonates an Audible iOS client by hardcoding device type/app identifiers and registering a synthetic device to obtain bearer and refresh tokens. This is dangerous because it bypasses normal trust boundaries, acquires durable account credentials, and enables continued authenticated API access that is not justified by the skill's Goodreads/Audible deal-analysis purpose.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This file allows arbitrary outbound delivery through the external openclaw messaging CLI using configurable channel and target values. In the context of a deal-scout skill, that capability is broader than core evaluation logic and can be abused for unintended exfiltration, spam, or delivery to attacker-controlled destinations if configuration is tampered with or user input is over-trusted.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill can create persistent cron jobs through an external CLI, extending its behavior from one-time deal analysis to long-lived scheduled execution. In this context that increases risk because a misconfigured or abused skill can establish persistence, repeatedly run, and continually process or transmit data beyond a single user action.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists personal Goodreads-derived data and optional reading notes to local artifact files via write_artifacts(), including matched entries, review-derived context, and notes text. While this appears to support normal skill functionality rather than malicious collection, it creates privacy risk because sensitive preference/history data is stored on disk without any clear consent gate, retention limit, or protection shown in this file.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
Cron registration modifies external scheduler state and creates persistence, but this path can be triggered programmatically when register_cron is enabled without any confirmation logic in this file. For a deal-checking skill, silently adding scheduled jobs is security-relevant because it changes system behavior beyond the immediate task and may surprise users or be abused by higher-level orchestration.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The function can send arbitrary message content to external channels and targets with no disclosure or confirmation in this file. In a skill that may process notes, CSV-derived data, and deal results, this raises a real risk of unintentional data disclosure or misuse if delivery parameters are attacker-influenced or users are unaware that outbound transmission occurs.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal