ClawHub

weread_assitant

Security checks across malware telemetry and agentic risk

Overview

This is a real WeRead-to-Obsidian bridge, but it should be reviewed because it can use a logged-in browser session and overwrite Obsidian notes without enough explicit user control.

Install only if you are comfortable letting the skill use your logged-in WeRead browser session, store reading data under output/, and create or overwrite notes in your Obsidian vault. Keep Chrome remote debugging off when not in use, review generated files before publishing or sharing them, and prefer explicit one-book sync commands over implicit activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This helper exposes generic Chrome DevTools control primitives: creating tabs, navigating to arbitrary URLs, evaluating arbitrary JavaScript in page context, scrolling, and taking screenshots. In the context of a skill that reuses the user's logged-in Chrome session, that effectively grants broad access to authenticated web content far beyond WeRead, enabling data exfiltration, session abuse, and arbitrary interaction with any site reachable by the browser.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs publishing generated Markdown into an Obsidian vault and notes that `obsidian-cli create --overwrite` is used, but it does not require an explicit confirmation or warning before overwriting existing notes. In this context, the danger is unintended local data loss or corruption of user notes if title matching, export rendering, or vault targeting is wrong.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill is designed to capture visible book content and shelf state from the user's logged-in WeRead Chrome session, which can include reading history, book metadata, and potentially copyrighted or sensitive personal reading data. Although the document mentions least-privilege behavior, it lacks a clear privacy warning and explicit consent language about what user data will be accessed, stored locally, and propagated into downstream tools like Obsidian, Feishu, or OpenClaw.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default prompt is broad enough to match common user requests about reading notes, reflections, or Obsidian edits, which creates a realistic risk of unintended skill invocation. Because the skill can sync WeRead content and write polished reflections into a local notes workspace, an accidental trigger could expose reading data or modify user files without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
97% confidence
Finding
Enabling implicit invocation without clear boundaries allows the platform to trigger this skill from ambiguous natural-language requests. In this skill's context, that is more dangerous because it relies on the user's logged-in Chrome session and can access bookshelf state, reading progress, visible content, and potentially write results into Obsidian, increasing the chance of unintended data access or modification.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest advertises writing polished reflections back into Obsidian but does not warn users that their local notes may be modified. This can mislead users into invoking what appears to be a read/sync workflow when it also performs write operations, creating risk of silent overwrites, unwanted edits, or insertion of transformed content into a trusted notes repository.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script collects data from the user's authenticated WeRead browser session, including shelf metadata and a body text snippet from the page, then writes it to a local JSON file without any explicit consent prompt, minimization check, or warning at the point of collection. In this skill's context, that creates a real privacy and data-handling risk because reading history, book identifiers, and visible content may be sensitive and can persist on disk longer than the user expects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads arbitrary Markdown content from local files and passes the full contents to an external program, `obsidian-cli`, which publishes them into an Obsidian vault without any confirmation prompt, preview, allowlist, or explicit disclosure at execution time. In this skill's context, the exported WeRead material may include visible book text, notes, or metadata, so a user can unintentionally propagate sensitive or copyrighted content into another synced workspace, increasing the chance of oversharing or policy violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal