Opdscli

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward OPDS ebook CLI helper, with the main caution that authenticated catalog credentials may be stored in plaintext by the underlying tool.

Install only if you trust the upstream opdscli Homebrew tap. Avoid adding sensitive paid-library or private-server credentials unless you accept that opdscli may store them in plaintext in ~/.config/opdscli.yaml, and do not share or commit that config file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation shows a configuration example containing a literal username and password in plaintext, but does not prominently warn that secrets must be protected or avoided in manually edited files. In a CLI skill that manages remote catalogs and authentication, this can normalize insecure secret handling, leading users to store real credentials in config files, shell history, screenshots, or version control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal