Back to skill

Security audit

Book Capture Obsidian

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its Obsidian book-import purpose, but its validation tests can execute Python files from an overly broad parent directory and default Goodreads enrichment sends library metadata to Google Books.

Review before installing. Back up or version-control the Obsidian vault and run migrations with dry-run first. Disable Google enrichment for sensitive libraries, or use a restricted Google Books API key. Avoid running the bundled CI/pytest checks except in a clean sandbox or after constraining the tests to import only the intended skill modules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to read files, set environment variables, write into an Obsidian vault, invoke shell scripts, and use network-backed enrichment, yet it declares no explicit permissions. This mismatch weakens the trust boundary and can cause users or orchestration systems to authorize a skill they believe is low-privilege when it can actually perform broad local and external actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The runbook instructs querying Google Books for all rows during migration without clearly disclosing that book metadata derived from a user's library will be sent to a third-party service. This can expose reading history, interests, and potentially sensitive titles over the network, which is especially relevant in a personal knowledge management context like an Obsidian vault.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When Google enrichment is enabled, the script sends title, author, and possibly ISBN to the Google Books API. In this skill context, that is an external data disclosure path that may surprise users processing private reading history or pre-release material, especially because enrichment is enabled by default unless disabled via flag or environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The test walks the repository, locates Python files, and imports the first file containing a matching function name, which executes that module's top-level code during testing. In a CI or shared repository context, a malicious or compromised file added anywhere under the project tree could be executed unexpectedly, turning test discovery into a code-execution path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The test dynamically loads and executes whichever Python file in the repository first defines one of several candidate upsert function names. Because spec.loader.exec_module(module) runs top-level module code, a malicious or compromised repository file can execute arbitrary code during test discovery/execution, and the broad recursive search increases the attack surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.