koreader-highlights
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted folder name, book filename, or search term could cause the local command to do more than read highlights.
The instructions place user- or filename-derived values into shell/Python command text without documented escaping, validation, or safe argument passing.
Run via tool: ls ~/Dropbox/Apps/<APP_NAME>/*.sdr.json ... with open('<FULL_PATH_TO_FILE>') ... if '<SEARCH_TERM>'.lower()Avoid shell interpolation; use a reviewed helper or Python argv/pathlib under a fixed base directory, validate filenames, and confirm unexpected paths before reading.
The agent could repeatedly inspect local reading files and retain discoveries even when the user did not ask for a fresh lookup.
This instructs periodic local file monitoring and memory writes outside a direct user request, which goes beyond the main user-invoked highlight lookup flow.
On each heartbeat, check ... any `.sdr.json` file ... has a modification time newer than the last heartbeat ... Update `MEMORY.md`.
Make heartbeat monitoring opt-in, clearly disclose it in the skill description/metadata, and provide a simple way to disable or clear stored state.
Private reading interests, Dropbox highlight paths, and preferences may persist in the workspace and influence later answers.
The skill stores long-term local memory about reading habits and setup details, which is purpose-related but privacy-sensitive and reusable across sessions.
Durable facts, preferences, and decisions. Update this as you learn about your human's reading habits.
Store only minimal needed facts, disclose what is saved, and give users an easy way to view, edit, or delete memory.
Users may not see which files were accessed or why a local operation failed.
The artifact suppresses operational details from user-visible replies, which can reduce transparency when local tools are being run.
YOUR REPLY must NEVER contain ... File paths ... Tracebacks or error messages ... The words "command", "script", "execute", "output", or "terminal"
Keep replies non-technical by default, but allow plain-language disclosure of accessed locations and failures when the user asks.
A user or reviewer may have less visibility into the original first-run instructions after the skill operates.
The first-run instructions ask the agent to delete one of its own workspace files, which conflicts with the repeated read-only framing even if it targets only the skill's own bootstrap file.
This is your birth certificate. Follow these steps once, then delete this file.
Do not self-delete instruction files; mark bootstrap completion in memory instead, or ask the user before removing any workspace file.