reMarkable Cloud

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends files and web articles to a reMarkable tablet, but it depends on a third-party cloud tool and cached account access.

Install only if you are comfortable connecting rmapi to your reMarkable Cloud account. Prefer a reviewed or pinned rmapi release, protect or clear ~/.rmapi when needed, and confirm the URL, local file, and destination folder before sending anything to the cloud.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and instructs use of network access, shell commands, and file-writing behavior without any declared permission model or user-facing guardrails. This creates a mismatch between apparent capability and disclosed authority, increasing the risk of the agent invoking the skill in contexts where the user did not clearly consent to external uploads, local writes, or command execution.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The sanitizer first unwraps disallowed tags before decomposing script/style/iframe/noscript, which means the contents of disallowed containers can be preserved as text or markup rather than removed cleanly. Because style is also listed as an allowed tag, CSS from untrusted article content may survive sanitization and be embedded into generated EPUB/HTML/PDF content, creating active-content and rendering-manipulation risk in downstream readers.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger language is broad enough that the skill could activate on generic reMarkable-related conversation rather than a clear request to upload, fetch, or manage cloud content. Over-broad activation is dangerous here because the skill can access cloud data, fetch external URLs, and operate on files, so accidental invocation can lead to unintended data transmission or account actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill does not clearly warn that URLs will be fetched from external websites and that files/articles will be transmitted to reMarkable Cloud. This omission can mislead users about where their content goes and expose sensitive documents, reading history, or internal URLs to third parties without informed consent.

Session Persistence

Medium

Category: Rogue Agent
Content: {baseDir}/scripts/remarkable.sh upload --file /path/to/book.epub --dir / ``` ### Create a folder ```bash {baseDir}/scripts/remarkable.sh mkdir --path /NewFolder
Confidence: 90% confidence
Finding: Create a folder ```bash {baseDir}/scripts/remarkable.sh mkdir --path /NewFolder ``` ### Search for files ```bash {baseDir}/scripts/remarkable.sh find --name "article title" ``` ## Notes - EPUB is

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Install rmapi (Go required): ```bash cd /tmp && git clone --depth 1 https://github.com/ddvk/rmapi.git cd rmapi && go build -o /usr/local/bin/rmapi . ``` First run will prompt for a one-time code from https://my.remarkable.com/device/browser?showOtp=true
Confidence: 96% confidence
Finding: rmapi && go build -o /usr/local/bin/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal