ClawHub

Calibre Catalog Read

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it needs Review because it ships extracted book-text cache files and has credential/error-handling risks around a workflow that can write back to Calibre comments.

Install only if you are comfortable giving the skill Calibre Content Server access, allowing full book export to local cache/subagent analysis, and allowing writes to the comments field. Remove bundled state/cache files before use, use a least-privilege Calibre account, restrict .env file permissions, avoid plaintext password arguments where possible, and clear the cache/database when analysis data is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README frames the skill as read-only catalog lookup, but it also documents a one-book analysis pipeline that extracts book text and sends work to subagent processing. That expands the data-handling and execution scope beyond simple metadata reads, creating a capability mismatch that can lead operators to grant broader trust and permissions than intended.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Requiring local Calibre binaries and command execution materially increases the attack surface for a skill presented as catalog lookup. Even if intended for read-only use, subprocess-capable tooling can expose the host environment to command misuse, unsafe argument handling, and unnecessary local file access if the surrounding wrappers are weak or later modified.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README introduces subagent spawning, session orchestration, and completion handling, which is far beyond a simple catalog-read skill. This creates a larger execution and data-exfiltration surface because book content and task instructions may be handed to additional agents or services, increasing the chance of unintended disclosure or abusive task chaining.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script clearly performs local state creation and mutation via SQLite initialization, inserts, and FTS indexing, which conflicts with the skill's stated read-only catalog lookup purpose. This mismatch is dangerous because it expands the skill's effective behavior to persistent data storage without clear disclosure, increasing privacy, integrity, and trust-boundary risk even if it does not directly modify the Calibre server.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The schema defines a reusable analysis storage and full-text search subsystem containing summaries, highlights, reread notes, and tags, which goes beyond a narrow read-only catalog lookup helper. In the context of a skill advertised as read-only lookup, this hidden capability increases the attack surface and can enable collection and retrieval of derived user/content data not implied by the skill description.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script automatically loads connection settings and secrets from local .env files and process environment, including credentials, even though the skill is described as a read-only catalog lookup tool. This broadens the skill's data access surface and can cause unintended credential harvesting or use of sensitive local configuration without explicit user intent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code discovers additional hosts from CALIBRE_SERVER_HOSTS, WSL resolver data, and host.docker.internal, then probes them automatically. That expands network reach beyond a single configured content server and can lead to unexpected internal network access or scanning behavior from what appears to be a simple lookup utility.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This handler contradicts the skill's declared read-only purpose by invoking `run_analysis_pipeline.py` via `runApply`, then marking the run as `applied_and_removed`. That means a catalog lookup skill can trigger state-changing behavior against the Calibre environment, creating a privilege/behavior mismatch that could be abused to cause unauthorized metadata or comment updates.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script automatically loads configuration and secrets from both the current working directory `.env` and `~/.openclaw/.env`, expanding the trust boundary beyond explicit arguments. In a skill advertised for read-only catalog lookup, implicit secret ingestion increases the chance of using unintended credentials or attacker-influenced connection settings, especially if the working directory is user-controlled.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script performs a Calibre metadata write via set_metadata on the comments field, which exceeds the advertised read-only lookup behavior except for a narrowly scoped analysis-comments workflow. Because the code applies the update automatically and merges generated HTML into existing comments, a caller expecting a read-only skill could trigger unintended persistent modification of library metadata.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script exports the full book file and converts it to plain text for analysis, which is materially more powerful than a catalog lookup capability. In a skill presented as read-only catalog access, this broadens access to full-content exfiltration and processing, increasing privacy, copyright, and data-handling risk if invoked on sensitive library items.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to place authentication material in environment files and optional cache files, but it does not prominently warn about credential sensitivity, file permissions, rotation, or exposure risks. In practice, this can lead to plaintext secret storage in predictable locations and accidental leakage through backups, logs, or multi-user systems.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill authorizes itself for 'natural conversational' book-reference turns and casual discussion where a lookup 'would improve the reply,' which creates broad and ambiguous activation criteria. In practice, that can cause the agent to initiate library queries, access server defaults, or start content-related workflows without a clear, user-requested command boundary.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The code automatically creates parent directories, initializes a database, and writes records with no user-facing warning, audit notice, or consent flow. While not an exploit primitive by itself, undisclosed persistence is a security and privacy concern because operators may reasonably expect a 'read-only' skill not to create local data stores.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
On subprocess failure, the thrown error includes the full command line, which may contain --username and --password values. This can leak credentials into logs, agent transcripts, error telemetry, or user-visible output, turning routine failures into secret disclosure events.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code launches a subprocess that performs an apply pipeline and also mutates the state file by marking failures or removing runs, without any confirmation or visible guard in a skill described as read-only. In context, the lack of user-facing warning compounds the dangerous read/write mismatch and makes silent unintended modifications more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script updates metadata comments without an explicit confirmation step at the point of write, despite being attached to a skill whose primary description emphasizes read-only use. This creates a consent boundary problem where routine lookup usage could unexpectedly produce persistent state changes in the library.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal