Security audit

koreader-highlights

Security checks across malware telemetry and agentic risk

Overview

This highlights skill mostly does what it says, but it claims to be read-only while also telling the agent to save personal data and delete a setup file.

Review this skill before installing. It can help read KOReader highlights, but a safer version should either be truly read-only or clearly ask before storing paths, profile details, reading preferences, heartbeat discoveries, or deleting any file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (27)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to automatically read SOUL.md, USER.md, MEMORY.md, and daily memory files before responding, even though the declared purpose is limited to KOReader highlights retrieval. This creates unnecessary access to unrelated workspace data and can expose sensitive user context or internal instructions when the skill is invoked for a narrow read-only task.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented startup behavior expands the skill from a KOReader-only retrieval tool into a broader workspace reader by requiring preloading of multiple non-KOReader files. That mismatch between manifest scope and actual behavior weakens least-privilege boundaries and increases the chance of unauthorized data exposure during routine use.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill is advertised as read-only, but the bootstrap instructs the agent to modify MEMORY.md. This creates a hidden write capability that can persist data without clear user consent, violating the declared trust boundary and enabling unauthorized state changes on the local system.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The bootstrap directs the agent to update USER.md even though the skill claims it never modifies files. This is a true capability mismatch and also expands the skill from reading highlights into storing personal profile data unrelated to its core function.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: Instructing the agent to delete BOOTSTRAP.md directly contradicts the claim that the skill never modifies files. Self-deleting setup instructions are especially risky because they remove auditability and can conceal what actions the skill was told to perform.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Collecting and persisting preferred name and timezone is unrelated to reading KOReader highlights and exceeds the minimum data needed for the stated task. This unnecessary data collection increases privacy risk and creates avoidable retention of personal information.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The bootstrap explicitly describes the agent as read-only, then later instructs it to modify files and delete itself. This inconsistency is dangerous because users and higher-level policy may rely on the read-only claim while the embedded instructions attempt more powerful actions.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The heartbeat instructions explicitly direct the agent to update MEMORY.md, which contradicts the skill's stated read-only behavior and 'never modifies files' claim. Even though the target is a memory file rather than user data, this is still an undocumented write capability that can surprise users, weaken trust boundaries, and create a path for unintended persistence across sessions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The file labels the behavior as 'Read-only' while also permitting updates to workspace memory files, creating an internal policy contradiction. This kind of mismatch is dangerous because agents or operators may rely on the safer claim while the embedded instructions still authorize persistence, leading to unauthorized state changes and misleading security expectations.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The memory file explicitly instructs the agent to maintain durable facts about the user's reading habits, which conflicts with the skill's stated read-only retrieval purpose. This expands the skill from simple data access into persistent profiling and state retention, creating unnecessary privacy and scope-creep risk.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The file directs collection of reading habits, preferred formats, topical interests, and data quirks, which amounts to long-term user profiling unrelated to the narrow task of retrieving KOReader highlights. Reading history and annotation behavior can reveal sensitive interests, beliefs, or health and political topics, so persistent storage increases privacy exposure.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill advertises itself as read-only but explicitly instructs the agent to persist discovered user-specific data into MEMORY.md. That creates an unauthorized write side effect and stores filesystem/location metadata across sessions without clear user consent, expanding data retention beyond the immediate task.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill contains contradictory guarantees: it claims to be read-only and later says it must refuse file writes, yet it also directs the agent to write to MEMORY.md. This inconsistency is dangerous because it can mislead reviewers and users about the skill's actual behavior, causing silent persistence of sensitive path information.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file makes a strong read-only and scope-limited claim, then contradicts it by instructing the agent to update MEMORY.md. That creates an undisclosed write capability and expands access beyond Dropbox HighlightSync data, which can mislead users and downstream systems that rely on the documented safety boundary.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The persistence instruction directly conflicts with the stated limitation to Dropbox HighlightSync data and introduces hidden state across sessions. Persistent memory can store sensitive user reading habits, file locations, or preferences without transparent authorization, undermining the skill's declared trust model.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Writing durable facts to MEMORY.md is unrelated to the core task of retrieving KOReader highlights and broadens the skill's operational scope. Even if intended for convenience, this creates unnecessary data retention and a path for storing potentially sensitive metadata outside the expected highlight source.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The instruction to automatically read several files at session start is broad and not clearly tied to a specific user request or activation condition. In practice, this can cause over-collection of data whenever the skill loads, including cases where the user only asked a narrow question about highlights.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description says it is read-only and focused on KOReader retrieval, but it does not warn that unrelated workspace files will be read automatically. This lack of disclosure undermines user expectations and can result in silent collection of additional personal or operational data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The bootstrap tells the agent to modify MEMORY.md automatically without warning or asking the user. Silent persistence is risky because it changes local state outside the user's immediate request and can normalize hidden side effects in a skill presented as retrieval-only.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to collect personal information and write it to USER.md without a privacy warning or explicit permission. That creates an avoidable privacy issue and breaks user expectations for a highlight-reading tool.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Deleting BOOTSTRAP.md without explicit warning or confirmation is a high-risk destructive action. Beyond modifying local state, it removes evidence of the bootstrap instructions themselves, which undermines transparency and incident review.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The instructions authorize modifying a workspace file without explicit user-facing disclosure at the point of use. While the modification appears limited to logging new books/highlights and is not overtly malicious, silent persistent writes can still expose activity patterns, surprise users, and violate expectations for a retrieval-only skill.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction to 'discover on first session' a Dropbox highlights path is underspecified and lacks clear boundaries on where or how broadly the agent may search. In practice, this can justify overbroad filesystem or cloud-folder exploration beyond the user's immediate request, increasing data exposure risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The file describes storing Dropbox-related data and user preferences in durable memory without any user-facing disclosure that data will persist across sessions. Silent persistence of filesystem locations and reading-related preferences undermines user expectations and can expose sensitive behavioral information over time.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Saving the discovered highlights path to MEMORY.md without any user-facing notice or permission introduces covert persistence of personal environment information. Even though the data is not highly sensitive by itself, it can reveal storage layout, app usage, and Dropbox structure, and it may later be reused outside the user's expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal